CLI Guide - WatchGuard Technologies

WatchGuard ® 

Command Line 

Interface 

User Guide 

WatchGuard Firebox Vclass 5.1

Copyright 

Copyright © 1998-2003 WatchGuard Technologies, Inc. 

All rights reserved. 

Notice to Users 

Information in this document is subject to change and 

revision without notice. This documentation and the software 

described herein is subject to and may only be used and 

copied as outlined in the Firebox System software end-user 

license agreement. No part of this manual may be reproduced 

by any means, electronic or mechanical, for any purpose 

other than the purchaser’s personal use, without prior written 

permission from WatchGuard Technologies, Inc. 

TRADEMARK NOTES 

WatchGuard and LiveSecurity are either trademarks or 

registered trademarks of WatchGuard Technologies, Inc. in 

the United States and other countries. Firebox, ServerLock, 

DVCP, and Designing peace of mind are trademarks of 

WatchGuard Technologies, Inc. All other trademarks or 

trade names mentioned herein, if any, are the property of 

their respective owners. 

Part No: 1200016 

ii WatchGuard Vclass 5.1

WatchGuard Technologies, Inc. 

Firebox System Software 

End-User License Agreement 

WatchGuard Firebox System (WFS) End-User License 

Agreement 

IMPORTANT — READ CAREFULLY BEFORE 

ACCESSING WATCHGUARD SOFTWARE: 

This WFS End-User License Agreement (“AGREEMENT”) 

is a legal agreement between you (either an individual or a 

single entity) and WatchGuard Technologies, Inc. 

(“WATCHGUARD”)for the WATCHGUARD WFS software 

product identified above, which includes computer software 

and may include associated media, printed materials, and online 

or electronic documentation (“SOFTWARE 

PRODUCT”). WATCHGUARD is willing to license the 

SOFTWARE PRODUCT to you only on the condition that you 

accept all of the terms contained in this Agreement. Please 

read this Agreement carefully. By installing or using the 

SOFTWARE PRODUCT you agree to be bound by the terms 

of this Agreement. If you do not agree to the terms of this 

AGREEMENT, WATCHGUARD will not license the 

SOFTWARE PRODUCT to you, and you will not have any 

rights in the SOFTWARE PRODUCT. In that case, promptly 

return the SOFTWARE PRODUCT, along with proof of 

payment, to the authorized dealer from whom you obtained 

the SOFTWARE PRODUCT for a full refund of the price you 

paid. 

1. Ownership and License. The SOFTWARE PRODUCT is 

protected by copyright laws and international copyright 

treaties, as well as other intellectual property laws and 

treaties. This is a license agreement and NOT an agreement 

for sale. All title and copyrights in and to the SOFTWARE 

PRODUCT (including but not limited to any images, 

photographs, animations, video, audio, music, text, and 

applets incorporated into the SOFTWARE PRODUCT), the 

accompanying printed materials, and any copies of the 

WatchGuard Command Line Interface Guide iii

SOFTWARE PRODUCT are owned by WATCHGUARD or its 

suppliers. Your rights to use the SOFTWARE PRODUCT are 

as specified in this AGREEMENT, and WATCHGUARD 

retains all rights not expressly granted to you in this 

AGREEMENT. Nothing in this AGREEMENT constitutes a 

waiver of our rights under U.S. copyright law or any other 

law or treaty. 

2. Permitted Uses. You are granted the following rights to 

the SOFTWARE PRODUCT: 

(A) You may install and use the SOFTWARE PRODUCT on 

any single computer at any single location. If you wish to use 

the SOFTWARE PRODUCT on a different computer, you 

must erase the SOFTWARE PRODUCT from the first 

computer on which you installed it before you install it onto 

a second. 

(B) To use the SOFTWARE PRODUCT on more than one 

computer at once, you must license an additional copy of the 

SOFTWARE PRODUCT for each additional computer on 

which you want to use it. 

(C)You may make a single copy of the SOFTWARE 

PRODUCT for backup or archival purposes only. 

3. Prohibited Uses. You may not, without express written 

permission from WATCHGUARD: 

(A) Use, copy, modify, merge or transfer copies of the 

SOFTWARE PRODUCT or printed materials except as 

provided in this AGREEMENT; 

(B) Use any backup or archival copy of the SOFTWARE 

PRODUCT(or allow someone else to use such a copy) for any 

purpose other than to replace the original copy in the event it 

is destroyed or becomes defective; 

(C) Sublicense, lend, lease or rent the SOFTWARE 

PRODUCT; 

(D) Transfer this license to another party unless (i) the 

transfer is permanent, (ii) the third party recipient agrees to 

the terms of this AGREEMENT, and (iii) you do not retain 

any copies of the SOFTWARE PRODUCT; or 

(E) Reverse engineer, disassemble or decompile the 

SOFTWARE PRODUCT. 

iv WatchGuard Vclass 5.1

4. Limited Warranty. WATCHGUARD makes the 

following limited warranties for a period of ninety (90) days 

from the date you obtained the SOFTWARE PRODUCT from 

WatchGuard Technologies or an authorized dealer: 

(A) Media. The disks and documentation will be free from 

defects in materials and workmanship under normal use. If 

the disks or documentation fail to conform to this warranty, 

you may, as your sole and exclusive remedy, obtain a 

replacement free of charge if you return the defective disk or 

documentation to us with a dated proof of purchase. 

(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT 

will materially conform to the documentation that 

accompanies it. If the SOFTWARE PRODUCT fails to 

operate in accordance with this warranty, you may, as your 

sole and exclusive remedy, return all of the SOFTWARE 

PRODUCT and the documentation to the authorized dealer 

from whom you obtained it, along with a dated proof of 

purchase, specifying the problems, and they will provide you 

with a new version of the SOFTWARE PRODUCT or a full 

refund, at their election. 

Disclaimer and Release. THE WARRANTIES, 

OBLIGATIONS AND LIABILITIES OF WATCHGUARD, 

AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 

4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN 

SUBSTITUTION FOR, AND YOU HEREBY WAIVE, 

DISCLAIM AND RELEASE ANY AND ALL OTHER 

WARRANTIES, OBLIGATIONS AND LIABILITIES OF 

WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND 

REMEDIES YOU MAY HAVE AGAINST WATCHGUARD, 

EXPRESS OR IMPLIED, ARISING BY LAW OR 

OTHERWISE, WITH RESPECT TO ANY 

NONCONFORMANCE OR DEFECT IN THE SOFTWARE 

PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY 

IMPLIED WARRANTY OF MERCHANTABILITY OR 

FITNESS FOR A PARTICULAR PURPOSE, ANY 

IMPLIED WARRANTY ARISING FROM COURSE OF 

PERFORMANCE, COURSE OF DEALING, OR USAGE OF 

TRADE, ANY WARRANTY OF NONINFRINGEMENT, 

ANY WARRANTY THAT THIS SOFTWARE PRODUCT 

WatchGuard Command Line Interface Guide v

WILL MEET YOUR REQUIREMENTS, ANY WARRANTY 

OF UNINTERRUPTED OR ERROR-FREE OPERATION, 

ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR 

REMEDY IN TORT, WHETHER OR NOT ARISING FROM 

THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR 

IMPUTED) OR FAULT OF WATCHGUARD AND ANY 

OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY 

FOR LOSS OR DAMAGE TO, OR CAUSED BY OR 

CONTRIBUTED TO BY, THE SOFTWARE PRODUCT). 

Limitation of Liability. WATCHGUARD’s liability (whether 

in contract, tort, or otherwise; and notwithstanding any fault, 

negligence, strict liability or product liability) with regard to 

THE SOFTWARE Product will in no event exceed the 

purchase price paid by you for such Product. IN NO EVENT 

WILL WATCHGUARD BE LIABLE TO YOU OR ANY 

THIRD PARTY, WHETHER ARISING IN CONTRACT 

(INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, 

PASSIVE OR IMPUTED NEGLIGENCE AND STRICT 

LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, 

INCIDENTAL, OR CONSEQUENTIAL DAMAGES 

(INCLUDING WITHOUT LIMITATION LOSS OF 

BUSINESS PROFITS, BUSINESS INTERRUPTION, OR 

LOSS OF BUSINESS INFORMATION) ARISING OUT OF 

OR IN CONNECTION WITH THIS WARRANTY OR THE 

USE OF OR INABILITY TO USE THE SOFTWARE 

PRODUCT, EVEN IF WATCHGUARD HAS BEEN 

ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 

5. United States Government Restricted Rights. The 

enclosed SOFTWARE PRODUCT and documentation are 

provided with Restricted Rights. Use, duplication or 

disclosure by the U.S. Government or any agency or 

instrumentality thereof is subject to restrictions as set forth 

in subdivision (c)(1)(ii) of the Rights in Technical Data and 

Computer Software clause at DFARS 252.227-7013, or in 

subdivision (c)(1) and (2) of the Commercial Computer 

Software -- Restricted Rights Clause at 48 C.F.R. 52.227- 

19, as applicable. Manufacturer is WatchGuard 

Technologies, Incorporated, 505 Fifth Avenue, Suite 500, 

Seattle, WA 98104. 

vi WatchGuard Vclass 5.1

6. Export Controls. You agree not to directly or indirectly 

transfer the SOFTWARE PRODUCT or documentation to 

any country to which such transfer would be prohibited by the 

U.S. Export Administration Act and the regulations issued 

thereunder. 

7. Termination. This license and your right to use the 

SOFTWARE PRODUCT will automatically terminate if you 

fail to comply with any provisions of this AGREEMENT, 

destroy all copies of the SOFTWARE PRODUCT in your 

possession, or voluntarily return the SOFTWARE PRODUCT 

to WATCHGUARD. Upon termination you will destroy all 

copies of the SOFTWARE PRODUCT and documentation 

remaining in your control or possession. 

8. Miscellaneous Provisions. This AGREEMENT will be 

governed by and construed in accordance with the 

substantive laws of Washington excluding the 1980 United 

National Convention on Contracts for the International Sale 

of Goods, as amended. This is the entire AGREEMENT 

between us relating to the contents of this package, and 

supersedes any prior purchase order, communications, 

advertising or representations concerning the contents of this 

package AND BY USING THE SOFTWARE PRODUCT 

YOU AGREE TO THESE TERMS. No change or 

modification of this AGREEMENT will be valid unless it is in 

writing, and is signed by WATCHGUARD. 

9. Canadian Transactions: If you obtained this 

SOFTWARE PRODUCT in Canada, you agree to the 

following: 

The parties hereto have expressly required that the present 

AGREEMENT and its Exhibits be drawn up in the English 

language. / Les parties aux presentes ont expressement exige 

que la presente conventions et ses Annexes soient redigees en 

la langue anglaise. 

WatchGuard Command Line Interface Guide vii

viii WatchGuard Vclass 5.1

Contents 

Contents .......................................................................ix 

CHAPTER 1 Using the Command Line Interface ..........1 

Introducing the WatchGuard CLI .......................................1 

CLI capabilities .............................................................2 

CLI limitations ...............................................................3 

CLI Guide text conventions ...............................................3 

Getting started with the WatchGuard CLI ...........................5 

Connecting to an appliance .............................................5 

Logging into an appliance via a console connection .............6 

Logging into an existing appliance via a network connection .7 

Understanding the command prompt ................................8 

Abbreviating commands and keywords ..............................8 

Case sensitivity .............................................................9 

Extending command lines ...............................................9 

Typing arguments in a command ......................................9 

Deleting text in the Command Line Interface ....................10 

Using the CLI to add to or replace existing settings and policies 

...........................................................................10 

Grouping parameters in a command ...............................10 

Reviewing the recently used commands ...........................11 

WatchGuard Command Line Interface Guide ix

Navigating through the CLI ........................................... 13 

Common Navigation commands .................................... 14 

Using keywords .......................................................... 15 

Show command/argument (“name”) usage ...................... 16 

Viewing context-sensitive online help ............................. 17 

Logging out of the appliance ........................................ 18 

Installing and configuring a WatchGuard appliance .......... 19 

To log into a WatchGuard appliance for the first time: ........ 19 

To assign network addresses to appliance interfaces .......... 20 

To complete system configuration .................................. 20 

To create and apply security policies ............................... 21 

To remove/delete items from a WatchGuard database ....... 22 

To save and apply your most recent changes .................... 22 

To maintain an appliance .............................................. 22 

To troubleshoot an appliance ........................................ 22 

To restore an appliance to the factory-default state ........... 23 

To review the most recent tasks (at any level) .................... 23 

To get on-line help while working ................................... 24 

CHAPTER 2 Administration Mode Commands .......... 25 

Command syntax conventions used in this guide ............. 25 

Administration mode commands .................................... 27 

account command ...................................................... 28 

downgrade command ................................................. 29 

export command ........................................................ 30 

flush command ........................................................... 31 

ha_sync command ...................................................... 31 

import command ........................................................ 32 

operation_mode command .......................................... 35 

passwd command ....................................................... 36 

reboot command ........................................................ 37 

restore default command ............................................. 38 

shutdown command .................................................... 38 

upgrade command ..................................................... 39 

x WatchGuard Vclass 5.1

CHAPTER 3 Configuration Mode Commands .............41 

Top-level configuration mode commands ........................41 

abort command ..........................................................43 

address command .......................................................43 

certificate command ....................................................45 

commit command .......................................................45 

delete command .........................................................45 

denial_of_service command ..........................................46 

high_availability commands ...........................................47 

ike command ..............................................................48 

interface command ......................................................49 

ipsec command ..........................................................49 

license command ........................................................49 

log command .............................................................50 

nat command .............................................................54 

no command ..............................................................56 

policy command .........................................................57 

qos command ............................................................60 

ras command ..............................................................61 

rename command .......................................................61 

schedule command .....................................................62 

service command ........................................................63 

system command ........................................................64 

trace command ...........................................................64 

tenant command .........................................................65 

tunnel_switch command ...............................................65 

history command ........................................................66 

Second level configuration mode commands ...................66 

Level 2 certificate configuration commands ......................67 

Level 2 High Availability configuration commands ..............72 

Level 2 IKE configuration commands ...............................78 

Level 2 interface configuration commands ........................82 

Level 2 IPSec configuration commands ............................95 

Level 2 Quality of Service (QoS) configuration commands .100 

WatchGuard Command Line Interface Guide xi

Level 2 Remote Access Service (RAS) configuration commands 

........................................................................ 102 

Level 2 System Configuration commands ...................... 107 

Level 2 license commands (for upgraded or additional features) 

........................................................................ 117 

Level 2 tenant configuration commands ........................ 119 

Level 3 configuration mode commands ......................... 122 

Level 3 route configuration commands .......................... 122 

Level 3 log configuration commands ............................ 124 

CHAPTER 4 Debug Mode Commands ...................... 127 

Debugging/troubleshooting commands ........................ 127 

arp command .......................................................... 129 

clear_logs ................................................................ 129 

config_http command ............................................... 129 

conn_idle_timeout command ...................................... 130 

ha_instant_sync command .......................................... 130 

hwdiag command ..................................................... 131 

ifconfig command ..................................................... 131 

importscreen command ............................................. 132 

kernel_debug command ............................................ 133 

netstat command ...................................................... 134 

ping command ......................................................... 134 

pppoe_config command ............................................ 135 

radius_ping command ............................................... 135 

rcinfo command ....................................................... 137 

reboot command ...................................................... 137 

rs_kdiag command .................................................... 138 

set_dos_if command ................................................. 139 

slink command ......................................................... 139 

tcpdump command ................................................... 140 

traceroute command ................................................. 140 

verbose_trace command ............................................ 141 

vinstall command ...................................................... 141 

xii WatchGuard Vclass 5.1

CHAPTER 5 Other Commands ...................................143 

No command ...............................................................143 

Rename command .......................................................143 

Show command ...........................................................144 

Show command general usage ....................................144 

Show address command .............................................145 

Show alarm command ................................................146 

Show all_routes command ..........................................147 

Show certificate command ..........................................147 

Show CPM command .................................................148 

Show denial_of_service command ................................148 

Show diagnostics command ........................................148 

Show DNS command .................................................148 

Show IKE command ...................................................149 

Show interface command ............................................150 

Show IPSec command ................................................150 

Show LDAP command ................................................151 

Show license command ..............................................151 

Show log command ...................................................152 

Show mode command ...............................................152 

Show NAT command .................................................153 

Show NTP command .................................................153 

Show policy command ...............................................154 

Show QoS command .................................................154 

Show RAS command ..................................................155 

Show route command ................................................156 

Show SA command ....................................................156 

Show service command ..............................................157 

Show SNMP command ...............................................158 

Show statistics command ............................................158 

Show sysinfo command ..............................................158 

Show sysupgrade command ........................................159 

Show trace command .................................................159 

Show tunnel_switch command .....................................159 

Show version command ..............................................160 

WatchGuard Command Line Interface Guide xiii

Index ......................................................................... 161 

xiv WatchGuard Vclass 5.1

CHAPTER 1 Using the Command 

Line Interface 

Introducing the WatchGuard CLI 

The WatchGuard CLI (Command Line Interface) offers 

the experienced network administrator an efficient 

way to set up and manage WatchGuard Firebox Vclass 

security appliances via a terminal application. As the 

CLI architecture utilizes a model implemented in 

many industry-standard routers, network administrators 

familiar with routers commonly deployed in network 

environments will find the WatchGuard CLI is 

both easy to learn and to use. 

You can use the CLI to administer an appliance 

through a console port connection or through a network 

connection to any of the data interfaces via an 

SSH Client using protocol 2 or Telnet, once the appropriate 

firewall-access policies have been created and 

configured on the target appliance. 

While the CLI replicates most of the functionality of 

the WatchGuard Vcontroller application, we 

strongly recommend that you familiarize yourself 

with the use of WatchGuard Vcontroller before 

WatchGuard Command Line Interface Guide 1

CHAPTER 1: Using the Command Line Interface 

attempting to use the CLI. Learning the WatchGuard Vcontroller, 

its terms and processes, and the underlying “flow” 

of appliance administration, will establish a solid competency 

with concepts and terms used extensively in the CLI. 

We also recommend that you review the latest Release Notes 

for your WatchGuard security appliances and verify that 

the most current versions of WatchGuard and Java software 

are being used. Electronic copies may be obtained 

from the WatchGuard Technical Support web site 

(www.watchguard.com/support/). The Technical Support 

Group can also assist in verifying that you have all of the 

latest WatchGuard software. 

CLI capabilities 

The WatchGuard command line interface (CLI) provides 

you with simple, fast, command-line access to any local 

WatchGuard Firebox Vclass security appliance to perform 

most major administrative tasks, including rebooting, 

resetting appliance interface IP addresses, entering remote 

access user accounts, and managing policies, actions and 

proposals stored in the appliance database. 

An almost-complete list of CLI setup and administration 

tasks includes the following: 

• Configuring security appliance software 

• Interface (port) management 

• Viewing current system settings 

• Inserting new security policies 

• Editing or removing existing policies 

• Reorganizing sort order of policies 

• Configuring and using the High Availability feature 

• Opening and reviewing current log files 

• Displaying reports of tunnel and SA activities 

• Restoring factory-default configurations 

• Shutting down and restarting security appliances 

2 WatchGuard Vclass 5.1

CLI limitations 

CLI Guide text conventions 

Please note that the WatchGuard CLI is not a complete 

replacement for the WatchGuard Vcontroller application, 

as you cannot do the following with the CLI: 

• Set up probes that monitor the current activities of the 

security appliance 

• Set up, activate, and review alarms that are triggered 

by a range of operational circumstances 

• Import Certificate Revocation List (CRL) files or their 

contents 

• Create “admin” access user accounts 

• Create firewall-access internal user accounts 

CLI Guide text conventions 

To help you better use this guide, the following text conventions 

are used. 

Control key The symbol ^ represents the Control 

(CTRL) key and is usually used in 

combination with other text. For 

example, when you see the key 

combinations ^Z or Ctrl-Z, this 

means you should hold down the 

Control key while pressing the Z 

key. In the guide, these keys may be 

printed in capital letters, but 

“Ctrl+letter” functions are not casesensitive. 

Text strings A text string is defined as a set of 

user-variable characters. Text 

strings (or, strings) are usually 

presented as example data, or the 

kind of thing one might type for a 

particular value. Such an example 

might be presented enclosed in 



quotation marks; however, you do 

not need to type quotes when 

entering a text string. 

For example, we might say: set a 

user_profile name to 

“All_RAS_Users.” In this example, 

you could type your own user 

profile name (or string) in place of 

ALL_RAS_Users. 

You should enclose a string in 

quotes in instances where the text 

entry includes spaces. For example, 

if entering a name like “Joan 

Smith,” with a space between the 

first and last name, you should 

enclose this entry in quotations to 

preserve it as a single entity. 

For Example WG(config)#address -group 

exec_staff 

WG(config)#address -group 

"exec staff" 

Carriage returns Carriage returns are Enter key 

presses, and are represented by the 

or notation. 

Command examples may omit this 

notation for the sake of brevity. 

Letter spaces Space characters (entered by 

pressing the Space bar on the 

keyboard) are represented in a few 

instances in this Guide by the 

notation. In most cases, however, 

spaces are simply represented by 

actual spaces. For example, in: 

WG(config)#address -group 

exec_staff 


Getting started with the WatchGuard CLI 

There is a single space between 

“address” and “-group,” and 

“group” and “exec_staff.” 

Comments Comments are presented as 

italicized text preceded by the “#” 

character. 

# This is a sample comment. 

More command-specific and 

argument-specific conventions are 

detailed in “Command syntax 

conventions used in this guide” on 

page 21 


Connecting to an appliance 

The WatchGuard CLI can be used to perform pre-installation 

setup tasks, or to reconfigure or administer the appliance 

at any time. These comprise two distinct uses of the 

CLI, which in turn require different connections: 

• To use the CLI in pre-installation setup or to do direct 

administration of a WatchGuard appliance, you can 

directly connect the appliance to your workstation by 

connecting a cable from the Console port on the front 

of the appliance to a serial port on your workstation. 

Your Vclass package includes an adapter for this 

purpose. After this connection is made, you can 

connect directly to the appliance via a terminal 

application. 

• To use the CLI for administration after a WatchGuard 

appliance has been set up and configured, you can 

make use of existing network connections. All you 

need is (1) the IP address of a WatchGuard appliance 

data interface and (2) a currently active policy 



permitting CLI console (Telnet/SSH) access to the 

system through that interface. This may be done by 

means of the CLI or the WatchGuard Vcontroller, once 

configuration is complete. 

NOTE 

If you attempt to log into a functioning, fully configured 

WatchGuard appliance with the CLI, you must enter 

“admin” as the login (or “rsadmin” for legacy appliances), 

as the CLI will not permit use of any other “super admin” 

account names. 

Logging into an appliance via a console 

connection 

To log into a brand new “factory default” WatchGuard 

appliance by means of the CLI console and a console (serial 

port) connection, follow these steps: 

1 Start any terminal application and open a new 

connection window. 

2 Verify that the terminal has been set to VT100. 

NOTE 

If the terminal is not set to VT100, various functions may not 

work—^c will not break, ESC will not work and you’ll have 

problems with special characters. 

Connection parameters include: 

- 9600 bps 

- 8 data bits 

- No parity 

- 1 stop bit 

- Flow control: none 

3 Press once after configuring the connection 

parameters. 

The connection should be immediate, at which time a welcome 

message is displayed, followed by a WatchGuard “Login” 

prompt. 



4 As this is a new appliance, type “admin” (the default 

login text) and press . The login for a legacy 

appliance is “rsadmin.” 

A “Password” prompt is displayed. 

5 Type “admin” (again, the default password text) and 

press to submit the password and log in to 

this security appliance. The default password for a 

legacy device is “rsadmin.” 

If the login connection is successful, a WG# prompt is displayed. 

WatchGuard Firebox V100 (OS 4.0) 

login:admin 

Password:[type your password, nothing is 

displayed] 

WG# 

Welcome to the WatchGuard CLI Shell 

You can now work with the CLI. 

Logging into an existing appliance via a 

network connection 

To log into a currently active (configured) WatchGuard 

appliance over a network connection, follow these steps: 

1 Make sure that this appliance has an active policy 

permitting telnet/SSH access via a specific 

WatchGuard appliance interface. 

1 Start any telnet/SSH application and verify that your 

terminal emulation is “vt100” (necessary in Windows 

2000). 

2 Type the IP address or qualified network name of the 

appliance interface and press Enter. 

3 When a WatchGuard “Login” prompt is displayed, 

type “admin” (or “rsadmin” for a legacy appliance) 

and press . 



NOTE 

The CLI will not accept any other “superadmin” login 

names. 

A “Password” prompt is displayed. 

4 Type the current password (the default is “admin”, or 

“rsadmin” for a legacy appliance) and press 

to submit the password and log into this security 

appliance. 

A new WG# prompt is displayed. 

Understanding the command prompt 

As you navigate through the WatchGuard Command Line 

Interface, the command prompt will always indicate what 

command level/mode you are in. For example: 

Command Prompt Command Level/Mode 

WG# indicates that you are at the root level 

WG(config)# indicates that you are in Configuration mode 

WG(config-system)# indicates that you are in Configuration mode at the 

System level 

WG(config-if)# indicates that you are in Configuration mode at the 

System Interface level 

Abbreviating commands and keywords 

You can abbreviate the available commands and keywords 

for each command group or mode, down to the minimum 

number of characters that can safely be used to represent a 

command, so that it cannot be mistaken for another command 

by the CLI. For example, the command show can be 

abbreviated “sh” and the command dmz can be abbreviated 

as “d.” 

NOTE 

In Administration mode, you cannot use abbreviated 

commands. Administration mode requires that you type the 

full word for each command. 


Case sensitivity 


Commands, command arguments and keywords in the 

WatchGuard CLI are not case sensitive. For example, show 

policy is equivalent to SHow POLicy. 

NOTE 

Object name strings are case sensitive. Typing the address 

group name (string) “EveryBody_on_NET_A” is not the 

same as typing “everybody_on_net_a”! This covers all text 

strings, whether enclosed in quotes or not. 

Extending command lines 

Long command lines can be continued onto the next line of 

a terminal display by typing the backslash character (\) at 

the end of the command line, similar to the use of the backslash 

character in C programming syntax. This permits you 

to type more information (parameters) without breaking 

the continuity of the entire command. 

In the following example of a progression of four commands, 

the backslash character typed (\) right before the 

in the last command line enables the administrator 

to continue the contents of that command line onto the 

next line: 

WG# 

WG#configure 

WG(config)#cert 

WG(config-cert)#req cert –com WatchGuard – 

cou US \ 

 

-dns rs101.WatchGuard.com –key {rsa 1024 

both} 

Typing arguments in a command 

Be sure to type a "-" (hyphen) before any arguments, or the 

CLI will ignore and omit that argument’s condition. 



Deleting text in the Command Line Interface 

To delete characters to the left of the cursor, press the Backspace 

key, or press ^h. 

To delete all characters from the current position of the cursor 

back to the beginning of the command line, press ^u. 

Using the CLI to add to or replace existing 

settings and policies 

Existing settings can be modified using the WatchGuard 

CLI in two ways: 

1 An existing item can be overwritten/replaced with an 

entirely new item 

2 Additional entries or qualifications can be appended to 

an existing item 

Adding entries to an existing item requires use of the 

“plus” character (+). 

If a setting or entry already exists in this WatchGuard 

appliance, add a “plus” character (+) before additional elements 

to edit that setting. In the following example, an 

additional host with an IP address of 199.86.77.100 is added 

to the address group “VPNnet” 

WG(config)#address VPNnet + -host 

199.86.77.100 

WG(config)#exit 

Commit before exit? (Y/N):y 

WG#_ 

The named address group object VPNnet now has an additional 

(host) member with an IP address of 199.86.77.100. 

Grouping parameters in a command 

Groups of parameters may be repeated in a command line 

by surrounding the groups with “curly” brackets ({group1 

param1 param2} {group2 param1 param2} etc.). In the fol- 



lowing example of command line block repetition, the IP 

addresses, port numbers, and weighting is assigned for 

three servers in a round-robin load balanced cluster: 

WG(config)#nat –vip round –server \ 

{10.10.0.100 80 1} {10.10.0.101 80 2} \ 

{10.10.0.102 80 3} 

Note too, that the command line in the above example was 

“extended” with the use of the backslash (\) character, so 

that more parameters could be included in the command. 

Reviewing the recently used commands 

The WatchGuard CLI stores up to 20 commands (at each 

level in every mode) in a History buffer, which you can use 

to view your most recent tasks. 

• Type history at any prompt to review the 

last twenty commands applied at that level of the CLI. 

The CLI will append a number to each line, to indicate 

its place in the overall chronology. The higher the 

number, the more recently that command was enacted. 

(Note that active command history listings may have 

multiple-digit numbers.) 

• Type !! (two exclamation points) to recall and re-enact 

the most recently used command recorded in the 

buffer for this mode and level. 

• Type !6 (exclamation point followed by a number) to 

display and enact the command identified as “6” in the 

buffer at this CLI level. 

• Type !! to display the most 

recent command and to append it with arguments and 

values as needed. For example, if the last command 

was “show”, you could type “!!address” to display the 

current list of address groups. 



New or different command arguments may be “substituted” 

in the most-recent command line recalled from history. 

Use the format 

^old_command^new_command to effect a substitution as 

shown in the following example: 

WG#!49 < Recall command line #49 #This is the 

command. 

show service DNS #The next six lines are the result. 

Service Group: 

Name = DNS 

Description = "Domain Name Services" 

Protocol = UDP 

Server_port = 53 

WG#^DNS^SSH #This command substitutes SSH for DNS 

and show service 

SSH execute 

Service Group: #This shows the results. 

Name = SSH 

Description = "Secure Shell (Remote Login 

Protocol)" 

Protocol = TCP 


WG#_ 


Navigating through the CLI 


WG#!49 < Recall command line #49 #This is the 

command. 

show service DNS #The next six lines are the result. 

Service Group: 

Name = DNS 

Description = "Domain Name Services" 

Protocol = UDP 


WG#^DNS^SSH #This command substitutes SSH for DNS 

and show service 

SSH execute 

Service Group: #This shows the results. 

Name = SSH 

Description = "Secure Shell (Remote Login 

Protocol)" 

Protocol = TCP 


WG#_ 

At every command level and in all command modes, the 

exit command moves the CLI user “up” one level (back to 

the parent command level) in the command tree structure. 

If you issue the exit command at the top (root) level, you 

will log out of the system. See the following example: 

WG(config-system)#exit 

WG(config)#exit 

WG#exit 

#As a result, you are logged off the CLI 

and the display screen is cleared. 

WatchGuard (OS 4.0) 



At every command level except the top (root) level, entering 

the top command and pressing Enter “jumps” the CLI user 

from the current level to the top (root) command level. The 

top (root) command level does not have this command 

available as it isn’t necessary. See the following example: 

WG(config-qos)#top 

WG#_ 

Common Navigation commands 

The following commands can be used at any level of any 

CLI mode. 

history command 

WG#admin 

WG(admin)#history 

Effect 

Lists the twenty most recently exercised commands 

at this level. (When this command is applied at 

other levels, it will result in the last twenty 

commands entered at that specific level. For more 

information on extending or adapting this 

command, see “Reviewing the recently used 

commands” on page 11. 

Arguments 

This command has several adaptations that extend 

its usefulness. See “Reviewing the recently used 

commands” on page 11 for details. 

exit command 

WG(admin)#exit 

Effect 

Exits the current level of CLI and returns to the 

next-highest command level, all the way to the toplevel 

WG# prompt. 


Arguments 

None. 

Example 

WG(admin)#exit 


top command 

WG(admin)#top 

Effect 

Immediately returns to the top level of the 

WatchGuard CLI (the “WG#” prompt) from 

whatever level of CLI you are using. 

Arguments 

None. 

Example 

WG(admin)#top 

# As a result, the WG# prompt is displayed. 

Using keywords 

The CLI provides keywords such as enable, disable, and 

no that perform specific functions with system parameters. 

For example, enable and disable are used to enable and 

disable existing configurations such as policy schedules 

and system QoS settings. The following example shows an 

existing schedule configuration named “24_7_Schedule” 

being enabled: 

WG(config)#schedule 24_7_Schedule 

enable 

The keyword no functions as a simple “on/off” switch for 

configuration components, as shown in the following 

example: 

WG(config)#denial_of_service no - 

pingofdeath 



Show command/argument (“name”) usage 

Entering the show command along with a valid command 

name or argument will display all stored entries associated 

with the named term. See the following examples. These 

examples show only partial displays: 

Example 1: Show all security policy records 

WG(config)#show policy 

Ord NAME Dscpt Src 

Dest Svc 

1 PRIVATE_HTTPS ANY PRIVA 

HTTPS 

2 ALLOW_PING_FROM_PVT ANY INTER 

PING 

3 ALLOW_PING_FROM_PUB ANY INTER 

PING 

4 ALLOW_PING_FROM_DMZ ANY INTER 

PING 

5 ALLOW_OUTBOUND_DNAT ANY ANY 

ANY 

6 DENY_INBOUND Deny ANY 

ANY ANY 

7 HOST_OUT ANY ANY 

ANY 

WG(config)#_ 

Executing the show command followed by a specific name 

displays only the details associated with that specific 

named object, as shown in the following example: 



Example 2: Show only “private_https” security 

policy settings 

WG(config)#show policy PRIVATE_HTTPS 

Security Policy 

Name = PRIVATE_HTTPS 

Description = * * 

Order = 1 

Source = ANY 

Destination = interface_0_IP 

Service = HTTPS 

Viewing context-sensitive online help 

When you are logged into an appliance, you can use the 

built-in help system to view a list of currently available 

commands. These commands vary depending on your current 

location in the CLI. The types of help commands 

include the following: 

• Listing all available commands at a specific mode or 

level of CLI 

• Listing all of a command’s arguments (and associated 

values) along with their specific usage syntax 

1 To list all commands available in a particular command 

mode or level, type a question mark (?)or enter 

“help” at the command prompt. 

For example, enter? at the top (root) level command to return 

the following list of top-level command options: 

administration Enter administration mode 

configure Enter configuration mode 

debug Enter debug mode 

show Show current configuration and 

statistics 

history Show command history 

logout Exit the system 

exit Exit the system 

2 The WatchGuard CLI’s help system also lists a specific 

command’s argument options along with their specific 



usage syntax. For example, here is a help command 

that requests (and obtains) the command argument 

options and syntax used to configure a security policy: 

WG#configure 

WG(config)#policy? 

policy [ ] 

[-position ] 

[-firewall ] 

[

Installing and configuring a WatchGuard appliance 

Installing and configuring a WatchGuard 

appliance 

You can use the WatchGuard CLI to perform almost all 

setup and configuration tasks. We’ve organized the following 

catalog of tasks into general categories, with references 

to the series of CLI commands you would use to perform 

specific tasks. We’ve also organized the following catalog 

to chronologically guide you through the tasks in the 

proper sequence. 

The general flow of this series of categories and tasks follows 

that of the printed WatchGuard Vclass User Guide, 

beginning with installation, and continuing on to administration 

and policy configuration tasks. 

The tasks are sorted into the following general categories, 

and can be reviewed as noted here: 

• “To log into a WatchGuard appliance for the first time:” 

on page 19 

• “To assign network addresses to appliance interfaces” 

on page 20 

• “To complete system configuration” on page 20 

• “To create and apply security policies” on page 21 

• “To remove/delete items from a WatchGuard 

database” on page 22 

• “To save and apply your most recent changes” on 

page 22 

• “To maintain an appliance” on page 22 

• “To troubleshoot an appliance” on page 22 

• “To get on-line help while working” on page 24 

To log into a WatchGuard appliance for the 

first time: 

See the instructions detailed in “Logging into an appliance 

via a console connection” on page 6. 



To assign network addresses to appliance 

interfaces 

To assign network addresses to the data interfaces, use 

these commands (along with the arguments and values 

noted later in this user guide): 

Command Additional Information 

WG(config-if)#interface 0 

WG(config-if)#interface 1 

WG(config-if)#interface 2 if a DMZ interface is present 

WG(config-if)#ha2 if an HA2 port is present 

To complete system configuration 

To complete the initial system configuration, use these 

commands: 

Command Description 

WG(admin)#passwd change the default password to a new, 

secure password 

WG(config-sys)#route includes both static and dynamic 

routes 

WG(config-sys)#dns connect to a domain name server 

WG(config-sys)#snmp connect to any SNMP management 

stations 

WG(config-sys)#log activate needed system activity 

logging 

WG(config-sys)#ldap connect this appliance to an LDAP 

server 

WG(config)#tunnel_switch activate WatchGuard tunnelswitching 

features 




WG(config)#cert request and import needed certificates 

from CA’s 

WG(config)#denial_of_service customize anti-hacker protection for 

this appliance 

WG(config)#high_availability set up and activate a high-availability 

system, using the High Availibility 

feature 

WG(config)#log includes event, traffic and alarm log 

files 

To create and apply security policies 

To create and apply security policies, use these commands: 


WG(config)#address create all the needed address groups for 

use in policies 

WG(config)#service add new services or groups of related 

services 

WG(config-ike)#action create IKE actions for use in IKE 

policies) 

WG(config-ike)#policy create IKE policies for use in IPSec 

policies 

WG(config-ipsec)#action create IPSec actions for use in IPSec 

proposals 

WG(config-ipsec)#proposal create IPSec proposals for use in 

security policies 

WG(config)#nat create NAT actions (DNAT, SNAT or 

VIP) for use in policies 

WG(config)#vlan create VLAN IDs for use in policies 

WG(config-qos)#action create QoS actions for use in policies 

WG(config)#schedule create schedules for application to 

specific policies 




WG(config-ras)#group_profile create RAS group profiles for use in 

RAS policies 

WG(config-ras)#user_profile create RAS user accounts for use in 

RAS policies 

WG(config-ras)#database set up the user authentication system for 

RAS policies 

WG(config)#policy create the actual policies 

To remove/delete items from a WatchGuard 

database 

To remove a particular object (policy, action, group profile, 

etc.), use this command: 

WG(config)#delete 

To save and apply your most recent changes 

To save and apply the latest changes and additions to this 

appliance’s configurations and policies, use this command: 

WG(config)#commit 

To maintain an appliance 

To perform security appliance maintenance, use these commands: 


WG(admin)#flush flush all current connections and SAs 

WG(admin)#passwd replace the existing password with a new one 

WG(admin)#reboot reboot the WatchGuard appliance 

WG(admin)#shutdown shut down the WatchGuard appliance 

To troubleshoot an appliance 

To perform troubleshooting tasks, use these commands: 




WG(debug)#arp display and configure the arp table 

WG(debug)#netstat show network/connection states and statistics 

WG(debug)#ping verify network connectivity 

WG(debug)#radius_ping verify connection with a RADIUS server 

WG(debug)#tcpdump trace network packets 

WG(debug)#traceroute trace a route to a specific destination 

To restore an appliance to the factorydefault 

state 

WG(admin)#restore_default 

To review the most recent tasks (at any 

level) 

(CLI prompt)#history 



To get on-line help while working 

To get help with the WatchGuard CLI 


? online help at any prompt, or at the end of any other 

command 

show view a list of objects at the # prompt 

history view the last 20 commands entered at this level of the CLI; 

Enter at the # prompt 


CHAPTER 2 Administration Mode 

Commands 

All WatchGuard CLI commands are organized into 

groups, which are presented as specific command 

modes. This chapter covers the commands available in 

Administration Mode. 

Command syntax conventions used in this 

guide 

To help you better use this guide, the following text 

conventions are used. These conventions are in addi- 


CHAPTER 2: Administration Mode Commands 

tion to the text notation introduced in “CLI Guide text conventions” 

on page 3. 

Convention Description 

All required text is enclosed in angle brackets. 

- Some arguments must be preceded by a hyphen 

(“-”). If a hyphen is required, but you do not use 

it to precede the argument, that argument will be 

dropped. 

[text] Optional text is enclosed in square brackets. 

{text} Text wrapped in curly braces is optional, usually 

representing qualifications or values related to an 

argument. 

itemA | itemB Text items separated by a pipe character (vertical 

bar) indicate two options, of which only one can 

be entered. 

itemA &| itemB Text followed by an ampersand (&) and a pipe 

character (vertical bar) indicates two options, 

either or both of which can be entered. 

[item_A, item_B, A comma separating bracketed text indicates 

item_C] 

repeated options that may be entered one at a 

time or all at once. 

+ item A plus (+) sign preceding specific text represents 

additional elements that are being added to an 

existing setting. For example, to add a new 

“member” to an existing address group, you 

would type a “+” prior to the address 

information of the new member. 

no A “no” entered before an argument indicates 

that the argument is not to be included in the 

command. This is useful when entering a number 

of arguments, one of which should not be 

included yet must be entered in the command. 

\ A backslash character at the end of a portion of 

command line signifies that the command line 

has been broken at that point, and continues on 

the next line. 

If you enter a command in the CLI, such as the following: 

WG(config)#policy 

and press without adding any arguments to the 

command line, the WatchGuard CLI will display a com- 


Administration mode commands 

plete list of related arguments and values, in the form in 

which you should enter them. This is helpful when the CLI 

tells you that a command you just entered isn’t acceptable. 

You can call up this text to review requirements and syntax 

for a command or argument. 


The following catalog lists all of the administration mode 

commands, along with a description of the arguments for 

each command and the relevant values for each argument 

. 

Command For more information, see 

account “account command” on page 28 

downgrade “downgrade command” on page 29 

export “export command” on page 30 

flush “flush command” on page 31 

ha_sync “ha_sync command” on page 31 

import “import command” on page 32 

operation_mode “operation_mode command” on page 35 

passwd “passwd command” on page 36 

reboot “reboot command” on page 37 

restore_default “restore default command” on page 38 

shutdown “shutdown command” on page 38 

upgrade “upgrade command” on page 39 

history “history command” on page 14 

exit “exit command” on page 14 

top “top command” on page 15 



account command 

WG#admin 

WG(admin)#account 

-login_limit 

-login_limit 

-status 

-unlock |all 

-all 

Effect 

Allows you to view, set, and clear failed login attempt limits. 

Login limits provide a further level of security, and 

eliminate susceptibility to a “brute force” password hacks. 

The account management feature is available in all three 

operation modes (normal, FIPS, and CC). 

The CLI allows only the root superadmin “admin” to log 

in, while rejecting all other accounts, including userdefined 

superamin accounts. If you set the login_limit 

feature on the root superadmin user, it is possible for the 

superadmin to be locked out of the system. 

To work around this possible problem: 

1 Create another superadmin account in addition to the 

root superadmin “admin” account, using Vcontroller, 

before you set the login_limit for the root 

superadmin account. 

If the root superadmin “admin” is locked out because of 

exceeded login failures, you can use this separate, non-root-level 

superadmin account to login to Vcontroller with full 

administration privileges. 

2 In a text editor, create and save an ASCII text file with 

the following two lines: 

admin 

account -unlock admin 

3 In Vcontroller, click Diagnostics/CLI and select the CLI 

tab. 

This feature allows you to select a text file that contains CLI 

commands. 



4 Click Open. 

A Browse dialog appears. 

5 Select the text file you created earlier, and click Select. 

The admin account is unlocked. 

Arguments 

-login_limit 

This command displays the current login limits set 

for admin and user on the device. 

-login_limit 

This command sets the limit for failed attempts for 

the specified user type (admin or user) to the 

number specified. 

-status 

This command displays a table of failed login 

attempts for each user, provided the limit for the 

login name is greater than 0. 

-unlock |all 

This command unlocks a login name or all login 

names, after the name or names are locked due to 

failed login attempts. 

-all 

This command displays detailed information for all 

accounts on the device. 

Examples 

WG#admin 

WG(admin)#account -login_limit 

WG#admin 

WG(admin)#account -login_limit admin 5 

WG#admin 

WG(admin)#account -unlock joe_user 

downgrade command 

WG#admin 

WG(admin)#downgrade 



Effect 

Restores the system software to the previously 

installed version. 

Arguments 

None 

Example 

WG(admin)#downgrade 

NOTE 

If you apply this command, certain WatchGuard features 

incorporated in the current version may not be available 

afterwards. This will affect both configurations and policies 

in this appliance. You should make a careful review of this 

security appliance’s setup to prevent any problems. 

export command 

WG#admin 

WG(admin)#export 

Effect 

Exports certificate requests, the log archive, or an 

XML profile. The export command must be 

followed by a space and the name of the item to be 

exported: 

cert_request to export certificate requests 

log to export the log archive 

xml to export an XML profile 

ip to export the blocked or exception IP lists 

Each export option requires specific syntax. 

export cert_request: 

export cert_request [-tftp] 

-ftp 

-[console] 



#ex: export cert_request 20001 10.10.0.100:/RS/cert/ 

20001.req 

export log: 

export log [all|alarms|events|traffic|ras_user|p1sa|p2sa] 

[-tftp] 

-ftp 

export xml: 

export xml [-tftp] 

-ftp 

-[console] 

export ip: 

export ip {blocked|allowed} 

[-tftp] 

-ftp 

flush command 

WG#admin 

WG(admin)#flush 

Effect 

Resets all active connections, including SA’s. 

Arguments 

None. 

ha_sync command 

WG#admin 

WG(admin)#ha_sync 

NOTE 

This command is available only if the WatchGuard appliance 

you are currently logged into has High Availability enabled 

(using the “config-ha” command), is the Master appliance, 



and is connected to another security appliance assigned to a 

backup role. 

Effect 

Initiates the WatchGuard Firebox Vclass security 

appliance hotsync process, which copies the 

complete profile (configurations and policies) from 

this appliance to a designated backup appliance. 

After you restart the backup appliance, your “high 

availability” system is ready and active. 

Arguments 

None 

Example 

WG(admin)#ha_sync 

import command 

The import command allows you to import certificates. a 

certificate revocation list (CRL), an xml profile, or a list of 

blocked or allowed IPs. 

cert command 

WG#admin 

WG(admin)# import cert 

[-tftp] 

-ftp

crl command 


WG#admin 

WG(admin)# import crl 

[-tftp] 

-ftp


ip command 

WG#admin 

WG(admin)#import ip {blocked|allowed} 

{override|merge} 

[-tftp] 

-ftp 

Effect 

Imports a list of blocked or allowed IP addresses to 

the appliance database. 

Prerequisites 

The list of IP addresses must be a text file. The 

formatting information follows. 

For blocked IP, each line of the file should include: 

[space] [space] 

 

specifies the month, day, and 

year. 

specifies the hour, minute, and 

second. 

For example, a text file containing the following 

lines blocks these sites until the provided 

expiration time: 

12.11.12.15 8/14/2003 14:00:00 

12.13.22.8 10/19/2004 1:21:05 

To add blocked sites that do not expire, use only 

the IP address. 

Arguments 

blocked|allowed 

Specifies whether to import the contents of the text 

file to the blocked IP list, or to the allowed 

(exceptions) IP list. 

merge|override 



Merge merges the new IP addresses into the 

existing list of IP addresses. 

Override replaces all of the existing IP addresses 

with the IP addresses on the imported list. 

Example 

WG(admin)#WG(admin)# import ip blocked 

override –ftp 192.168.216.232:/tmp/ 

blockedip.txt 

operation_mode command 

WG#admin 

WG(admin)#operation_mode 

 

Effect 

This command changes the system mode to 

operate in normal, FIPS, or Common Criteria (CC) 

mode. 

FIPS mode 

FIPS 140-2 is a standard that describes government 

requirements that cryptographic hardware or 

software products must meet. FIPS certification is 

required for products that are sold to the 

government. 

FIPS mode disables or changes the following 

functionality: 

- Shell access is disabled (for example, sucode). 

- Unprotected remote access is disabled, including 

telnet and SSH. To login to the box using telnet 

requires a physical connection to the console port. 

- Non-qualified algorithms are disabled (MD5). 

- SSL3.0 is disabled. Support for TLS is still 

included. 

- A direct crypto interface to the Rapidcore and 

other crypto modules is provided for the startup 



crypto self-test, and random number generation 

can be tested. 

- Object reuse is avoided. Keys are zeroed out 

when they are no longer in use. 

Common Criteria (CC) mode 

Common Criteria (CC) defines a language for 

defining and evaluating information technology 

security systems and products. The framework 

provided by Common Criteria allows US 

government agencies and other groups to define 

sets of specific requirements. 

IT security products purchased by the US 

Government for National Security Systems, which 

handle Classified and some non-Classified 

information, are required to be Common Criteria 

certified. 

Common Criteria mode conforms to EAL4 level. 

Common Criteria mode disables or changes the 

following functionality: 

- HTTPS uses 3DES-SHA1 encryption only. 

- User login failure count can be configured, and 

users can be locked out after the failure count is 

met. See “account command” on page 28 for 

more information. 

passwd command 

WG#admin 

WG(admin)#passwd 

Effect 

Replaces the current “admin” super user access 

password text with a new entry. This command 

initiates a several-step process in which you will be 

prompted to enter the new password twice, before 

it takes effect. See “Process” immediately following 

for details. 



Process 

Type a space, then the text of the current password 

after the command. 

When you press , a “New password:” 

prompt is displayed, at which you can type the 

new password, using between 6 and 20 characters. 

NOTE 

ALERT: Please note that no text will appear on-screen as 

you type. 

When you press to submit the new 

password text, a “Reconfirm password:” prompt is 

displayed. Retype the same text (during which no 

text will appear on-screen.) 

When you press , the new password will 

be confirmed and stored in the appliance, then 

immediately put into effect. 

Example 

WG(admin)#passwd: 

New password: * 

# Remember, no text will appear when you type. 

Reconfirm password: * 

Password change completed! 

WG(admin)# 

NOTE 

Remember to write the new password down and store the 

note in a safe place. If you forget the password and lose the 

note, contact WatchGuard for assistance. 

reboot command 

WG#admin 

WG(admin)#reboot 

Effect 

Shuts down, then restarts this WatchGuard Firebox 

Vclass security appliance. You will be 



automatically logged out of the appliance, but after 

a few minutes (and a considerable display of status 

messages), the main login prompt will appear. You 

can log in again at this time. 

Arguments 

None. 

restore default command 

WG#admin 

WG(admin)#restore_default 

Effect 

Reinitializes this appliance and restores the 

original “factory default” configuration. Once this 

process is complete, you can log in again, then start 

over with appliance installation, configuration and 

policy creation, either by manual entry or 

importing of a profile from another appliance. 

Arguments 

None. 

Results 

After applying this command, the CLI will 

immediately record a series of “restoring” status 

messages, along with “please wait…” messages. 

When the restoration is complete, the main login 

prompt will appear. 

You can now log into the appliance with the user 

name of “admin” and the password of “admin” to 

begin reconfiguration of this appliance. 

shutdown command 

WG#admin 

WG(admin)#shutdown 

Effect 



Shuts down this WatchGuard appliance. You will 

be automatically logged out of the appliance, at 

which time you can break the CLI connection. 

Arguments 

None. 

upgrade command 

WG(admin)#upgrade 

upgrade [-tftp] 

upgrade -ftp 

Effect 

Upgrades the system software, using a “.rsu” file, 

from a specific location. 

Example 

upgrade -ftp wg:wg@ftp.watchguard.com:/patch/ 

upgrade.rsu 




CHAPTER 3 Configuration Mode 

Commands 




Configuration Mode. 

Top-level configuration mode commands 

The following catalog lists the top-level configuration 

mode commands, with a description of the arguments 

for each command and the values for each argument. 

Also included, where applicable, is the sequence of 

“config” commands necessary to reach a specific command 

level where a particular command can be 

entered and used. 


CHAPTER 3: Configuration Mode Commands 

Command For more information 

abort See “abort command” on page 43. 

address See “address command” on page 43. 

certificate See “certificate command” on page 45. 

commit See “commit command” on page 45. 

delete See “delete command” on page 45. 

denial_of_service See “denial_of_service command” on page 46. 

high_availability See “high_availability commands” on page 47. 

ike See “ike command” on page 48. 

interface See “interface command” on page 49. 

ipsec See “ipsec command” on page 49. 

license See “license command” on page 49. 

log See “log command” on page 50. 

nat See “nat command” on page 54. 

no See “no command” on page 56. 

policy See “policy command” on page 57. 

qos See “qos command” on page 60. 

ras See “ras command” on page 61. 

rename See “rename command” on page 61. 

schedule See “schedule command” on page 62. 

service See “service command” on page 63. 

system See “system command” on page 64. 

trace See “trace command” on page 64. 

tenant See “tenant command” on page 65. 

tunnel_switch See “tunnel_switch command” on page 65. 

show See “history command” on page 66. 

history See “history command” on page 14. 

exit See “exit command” on page 14. 

top See “top command” on page 15. 


abort command 


WG#config 

WG(config)#abort 

Effect 

Aborts (erases) all system configuration changes 

made since the last use of the 

WG(config)#commit command. This empties the 

cache of to-be-committed changes and additions. 

Arguments 

None 

address command 

WG#config 

WG(config)#address [+] -host 

\ 

[]… -net []… -range \ 

[]… \ 

-group []… 

Effect 

Creates a new address object or modifies an 

existing group, depending upon the use of the “+” 

character. This command must start with a new or 

existing “name” and can incorporate the following: 

(1) a single IP address, (2) a range of IP addresses, 

(3) a subnet, and (4) a group of existing address 

entries that you may want to combine into a single 

entity. 

Arguments 

 

This argument notes a new “name” for this group. 

You can then type one or more of the following 



addressing arguments, depending upon the 

contents of this address. 

-host [a.b.c.d]… 

This argument notes a single IP address (omitting 

subnet information.) 

-net [a.b.c.d/e]… 

This argument notes a single subnet IP address and 

subnet mask (representing all the individual IP 

addresses in that subnet.) 

-range [] 

This argument notes a range of IP addresses. 

-group [address_name]… 

This argument notes a group of existing address 

entries that you want to combine into a single 

entity. 

+ 

This character, when inserted in the command line 

in the proper location, allows you to add a new 

address member to an existing group. You must 

have the exact name of the group – in its casesensitive 

form, prior to adding new entries. 

Examples 

WG(config)# address my_nets -host 

10.10.1.1/16 

# Creating a new address group with a single host 

WG(config)# address my_nets -range 

14.0.2.1- \ 

14.0.2.125 

# Creating a new address group with a range of IP 

addresses 

WG(config)# address my_nets + -net 

10.29.0.0/16 

# Add a new address to an existing address group 


certificate command 


WG#config 

WG(config)#certificate 

Effect 

Enters the certificate-configuration mode, at which 

point you can enter certificate-specific task 

commands and their arguments. 

Arguments 

None in this mode. 

See Also 

For more information about “certificate” mode 

commands, see “Level 2 certificate configuration 


commit command 

WG#config 

WG(config)#commit 

Effect 

This command applies all uncommitted policy, 

system configuration changes, and additions to the 

appliance. 

Arguments 

None 

delete command 

WG#config 

WG(config)#delete 

Effect 

Deletes a specifically named object, such as an 

address group, policy, action, or service. 

Arguments 

 

This argument records the exact name of the to-bedeleted 

item. 



Example 

WG(config)#delete address 

exec_addresses 

# This command deletes an address group named 

“exec_addresses”. 

WG(config)#delete ike policy "HQ 

IKE" 

# This command deletes an IKE policy named “HQ 

IKE”. 

denial_of_service command 

WG#config 

WG(config)#[no][-icmp [threshold]] 

#threshold packet/s;default=1000 

[no][-syn [threshold]] 


[no][-udp [threshold]] 


[no][-pingofdeath] 

[no][-sourceroute] 

[no][-server_ddos [threshold]] 

#threshold connection/s;default=100 

[no][-client_ddos [threshold]] 

#threshold connection/s;default=100 

Effect 

Records your preferences for denial-of-service 

defense parameters. You can enter any or all of the 

customizable arguments listed below. 

Arguments 

[no][-icmp ] 

Activates ICMP flood protection with a user-noted 

threshold noted as packets per second; 

default = 1000. 

[no][-syn ] 

Activates TCP/SYN flood protection with a usernoted 

threshold; default=5000. 

[no][-udp ] 

Activates UDP flood protection with a user-noted 

threshold; default=1000. 



[no][-pingofdeath] 

Activates ping-of-death protection. 

[no][-sourceroute] 

Activates source route protection by disallowing 

source route options. 

[no][-server_ddos ] 

Activates server DDOS protection; the default 

threshold = 100, which controls the maximum 

number of connections permitted to any one 

server. 

[no][-client_ddos ] 

Activates client DDOS protection; the default 

threshold=100, which controls the maximum 

number of connection requests permitted to a 

single client. 

no 

Enter this before any options you want to 

deactivate in this appliance, as shown above. 

Example 

WG(config)#denial -syn 1000 no - 

udp 

high_availability commands 

NOTE 

High Availability commands will not be available to you if 

the WatchGuard appliance you are administering does not 

feature any HA ports. In addition, you need a High 

Availability feature license. 

Enter high availability configuration mode 

WG#config 

WG(config)# high_availability 



Effect 

Enters the high availability (HA) configuration 

mode, at which point you can enter HA specific 


Arguments 


See Also 

For more information about “HA” mode 

commands, see “Level 2 High Availability 

configuration commands” on page 72. 

Disable high availability mode 

WG#config 

WG(config)#no high_availability 

Effect 

Disables high availability if it is already in effect. 

Arguments 

None. 

ike command 

WG#config 

WG(config)#ike 

Effect 

Enters the IKE configuration mode, at which point 

you can enter IKE-specific commands and their 

arguments. 

Arguments 


See Also 

For more information about “IKE” mode 

commands, see “Level 2 IKE configuration 



interface command 


WG#config 

WG(config)#interface 

Effect 

Enters the system interface configuration mode, at 

which point you can enter interface-specific 


Arguments 


See Also 

See “Level 2 interface configuration commands” on 

page 82 for details on specific “interface” mode 

commands. 

ipsec command 

WG#config 

WG(config)#ipsec 

Effect 

Enters the IPSec configuration mode, at which 

point you can enter IPSec action- and proposalspecific 


Arguments 


See Also 

For more information about “IPSec” mode 

commands, see “Level 2 IPSec configuration 


license command 

WG#config 

WG(config)#license 



Effect 

Enters license parameter configuration mode, at 

which point you can enter license-specific 


Arguments 


See Also 

For more information about “license” mode 

commands, see “Level 2 license commands (for 

upgraded or additional features)” on page 117. 

log command 

no command (log level) 

WG#config 

WG(config)#log 

WG(config-log)#no 

 

Effect 

Disables logging for the specified log. 

Arguments 

None 

Example 

WG#config 


WG(config-log)#no traffic 

clear all command (log level) 

WG#config 


WG(config-log)#no 

 

Effect 

Clears all logs. 


Arguments 

None 

Example 

WG#config 


WG(config-log)#clear_all 

diagnostics command (log level) 


WG#config 


WG(config-log)#diagnostics [ike ] 

#level=1-6 

[cmm ] 

[ nm ] 

[pmm ] 

[ ha ] 

Effect 

Runs log diagnostics for the specified feature. 

Arguments 

None 

Example 

WG#config 


WG(config-log)#diagnostics ha 1 

[no] event command (log level) 

WG#config 


WG(config-log)# [no] event 

 

Effect 

Turns logging on (or off, if the command is 

preceded by “no”) for the specified error level. 

Arguments 

None 



Example 

WG#config 


WG(config-log)#event administration 

[no] remote command (log level) 

WG(config-log)#[no] remote 

[default] 

[-alarm 

] 

[-event 

] 

[-traffic 

] 

[-p1sa 

] 

[-p2sa 

] 

[-ras 

] 

# facility:= 

[auth|authpriv|cron|daemon|ftp|kern|lpr|ma 

il 

# 

|news|syslog|user|uucp|local0|local1|...|l 

ocal7] 

# priority:= 

[original|debug|info|notice|warning 

# |err|Crit|alert|emerg] 

Effect 

Turns remote logging on or off for the specified 

logs and error levels. 

Arguments 

None 

Example 

WG#config 


WG(config-log)#remote 10.10.10.99 default 


[no] traffic command (log level) 

WG#config 


WG(config-log)#[no] traffic 

Effect 

Turns the traffic log on or off. 

Arguments 

None 

Example 

WG#config 


WG(config-log)#traffic 

history command (log level) 


WG#config 


WG(config-log)#history 

Effect 

Shows up to the last 20 commands. 

Arguments 

None 

Example 

WG#config 


WG(config-log)#history 

rename command (log level) 

WG#config 


WG(config-log)#rename 

address rename address groups 

ike rename IKE actions/ 

policies 

ipsec rename IPSec actions/ 

proposals 



nat rename NAT actions 

policy rename security 

policies 

qos rename QoS actions 

ras rename RAS group 

schedule rename schedule actions 

service rename service groups 

Effect 

Allows you to rename various items. 

See also 

See “rename command” on page 61. 

nat command 

WG#config 

WG(config)#nat [-static_nat ]| \ 

[-vip 

- 

server [+] \ 

{ [weight]}…>] 

Effect 

Records a new NAT action for use in security 

policies. You can create one of three possible NAT 

actions, choosing from VIP, DNAT or Static NAT. 

Arguments 

 

If this is to be a load-balancing or static NAT action, 

enter a short, distinctive name for this new action 

following the NAT command prompt. 

-static_nat < -external > 

\ 

 



(For one-to-one and subnet-to-subnet mapping) 

This argument specifies (1) that this is a static NAT 

action, and records the address groups associated 

with the internal and external sources. The address 

groups can be single IP addresses or subnets. 

-vip | - 

server [+] \ 

{ [IP address] … 

}> 

This argument specifies that this is a loadbalancing 

(virtual IP) NAT action, and records (1) 

the algorithm that will be applied and (2) the server 

addresses and port numbers. If a weighted 

algorithm is used, this argument adds (3) the perserver 

weight assignments. 

The load-balancing algorithm argument values 

include the following entries: 

round_robin: Denotes the round robin algorithm 

wround_robin: Denotes weighted round robin 

random: Denotes random 

wrandom: Denotes weighted random 

least_connection: Denotes least connection 

wleast_connection: Denotes weighted least 

connection 

TIP 

If you are adding a new server/weight to an 

existing VIP NAT action, prefix the new server 

record with a “+” character. 

If you are entering the “server” argument, you 

must note (1) the IP address of the server, the port 

number it will watch and the proportion of traffic 

this server will be assigned, noted as a whole 

number. 



NOTE 

Note that dynamic NAT is already present in the 

WatchGuard database by default, and is ready for use in 

security policies. You can specify “dynamic_nat” as the NAT 

action when you create the appropriate policies 

Examples 

WG(config)#nat load_balancing –vip 

wround –server \ 

{10.10.0.100 80 1} {10.10.0.101 80 2} \ 

{10.10.0.102 80 3} 

WG(config)#nat natS -stat -ext pub1 -int 

\ 

web_server1 

Record dynamic security policy IP NAT action 

WG#config 

WG(config)#nat [-dynamic_nat 

] 

Effect 

Records a new dynamic IP NAT action for use in 

security policies. You can create one of two 

possible DNAT options, choosing from the default 

IP address for interface 1 or a user-designated IP 

address 

Arguments 

 

If this is to be a user-designated IP address DNAT 

action, enter the IP address of your choice as the 

command argument. If you are using the default 

interface 1 IP address, enter that in the argument. 

no command 

WG#config 

WG(config)#no 

high_availability disable high 

availability 



Effect 

Disables the high availability feature. 

Arguments 

None 

Example 

WG#config 

WG(config)#no high_availability 

policy command 

WG#config 

WG(config)#policy 

policy [ ] 

[-position ] 

[-firewall ] 

[


destination address groups to which this policy 

will be applied. 

 

This argument records the interface this policy will 

apply to. 

[-position ] 

This argument records which numbered location 

this policy occupies in the policy table. 

[-firewall ] 

This argument allows you to specify which firewall 

option to apply. 

[] 

These arguments allow you to combine various 

preexisting actions in this one policy, including: 

-service: Enter the name of a service group 

after this argument. 

-tenant: Enter the name of a tenant object after 

this argument. 

-nat: Enter the name of a NAT action after this 

argument. 

-qos: Enter the name of a QoS action after this 

argument. 

-schedule: Enter the name of a schedule after 


-ipsec: Enter the name of an IPSec action after 


[{-tosF | -tosR} ] 

This argument records the TOS marking direction 

and marking bit. “bbbbbb” represents the six bit 



positions that you can choose from. You pick a 

location and enter a “1” to mark that bit. 

[-log_per_policy [enable|disable] ] 

This argument allows you to enable or disable 

logging on a per-policy basis. 

[-icmp_error_handling_per_policy 

[[global | all] | 

[[no] fragmentation_required] 

[[no] time_exceeded] 

[[no] network_unreachable] 

[[no] host_unreachable] 

[[no] port_unreachable] ] 

This argument allows you to implement ICMP 

error handling per policy, and specify error 

handling options. 

[-mss_adjustment_per_policy [auto| 

limit_to |disable|use_global]] 

This argument allows you to specify a per-policy 

TCP Maximum Segment Size. See 

“mss_adjustment” on page 112 for more 

information on these settings. To use the global 

settings, use the argument use_global. 

Examples 

WG(config)#policy Allow_Outbound Any 

Any \ 

interface 0 -firewall pass -nat 

DYNAMIC_NAT 

WG(config)#policy HQ_BR_VPN HQ BR 

interface 0 \ 

-firewall pass -ipsec bi HQ_IPsec 

 

WG(config)#policy SJ_NY_VPN SJ NY 

interface 1 \ 



-firewall pass -ipsec SJ_NY_IPSec 

 

WG(config)#policy SJ_LA_VPN \ 

-mss_adjustment_per_policy \ 

limit_to 1400 

WG(config)#policy SJ_NY_VPN \ 

-icmp_error_handling_per_policy all 

WG(config)#policy SJ_NY_VPN -position 5 

 

The previous example shows a relocation of policy 

SJ_NY_VPN to the fifth position (row) in the policy 

table. 

NOTE 

You can combine a range of actions (“-vlan”, -“ipsec”, “nat”, 

“-schedule”, etc.) in a single policy, as needed. For 

more information on policy action combinations, especially 

to determine what will and what won’t work, see the User 

Guide. 

qos command 

WG#config 

WG(config)#qos 

Effect 

Enters the Quality of Service (QoS) configuration 

mode, at which point you can enter QoS actionspecific 

task commands and their arguments. 

Arguments 


See Also 

For more information about “QoS” mode 

commands, see “Level 2 Quality of Service (QoS) 



as command 


WG#config 

WG(config)#ras 

Effect 

Enters the remote access services (RAS) 

configuration mode, at which point you can enter 

RAS connection-specific commands and their 

arguments. 

Arguments 


See Also 

See “Level 2 Remote Access Service (RAS) 

configuration commands” on page 102 for details 

on specific “RAS” mode commands. 

rename command 

WG#config 

WG(config)#rename \ 

 

Effect 

Substitutes a new name for an existing object name. 

Arguments 

 

Use this argument to enter the type of object this 

name is applied to, whether (for example) an IPSec 

action, an address group, a RAS user profile, etc. 

 

Use this command to enter the existing name. 

 

Use this command to enter the new name. 

Example 

WG(config)#rename address eng_net 

engineering 



schedule command 

WG#config 

WG(config)#schedule 

[-all| \ 

-mon|-tue|-wed|-thu|-fri|-sat|-sun] 

{hr:min-hr:min \ 

[hr:min-hr:min ][hr:min-hr:min ][hr:minhr:min 

]} 

Effect 

Use this command to set up a schedule for use in 

the application of policies. Schedules can be set up 

for the same hours for every day or for different 

daily schedules, depending upon the arguments. 

Arguments 

 

Type a short, descriptive name for this schedule. 

 

This argument specifies whether this schedule is 

currently active or not. 

- 

This argument defines the days of the week. The 

values can either be noted as “all” for all seven 

days, or include any combination of days of the 

week–mon, tue, wed, thu, fri, sat, and sun. 

{hour:minute-hour:minute} 

This argument (which can be repeated for different 

blocks of time) should note a range of hours, such 

as “9:00-12:00” (which indicates 9:00am to Noon.) 

Be sure to wrap the range in curly brackets, as 

shown in the examples below. Hours must be 

converted to and noted in military time– 

according to the 24-hour clock. 

TIP 

A midnight start time should be entered as “0:00”. 



Example 

WG(config)#schedule workdays -mon \ 

{8:00-12:00 13:00-19:00} (line break) - 

fri \ 

{9:00-12:00} enable 

WG(config)#schedule 24_7 -all {0:00- 

24:00} 

service command 

WG#config 

WG(config)#service [+] \ 

 

Effect 

Records a new service entry (individual or group) 

for use in policies. The service must be noted as 

either a “single” service, a “range” of port numbers 

for a single service, or, as a “group” of existing 

related services. 

Arguments 

 

Enter the name of this new service or group. 

-single { } 

Use this argument to note the protocol and port 

number of a single service. 

-range { } 

Use this argument to note the protocol and two or 

more port numbers for a single service. 

-group { [ 

\ 

]} 



Use this argument to note the names of two or 

more related services. 

+ 

Use this argument (the “+” character) to add an 

additional service to an existing group.) 

Examples 

WG(config)# service ldap -single tcp 389 

WG(config)# service my_app -range tcp 

6000-6006 

WG(config)# service my_app + -single udp 

6010 

WG(config)# service email -group 

"mail_SMTP" \ 

-group "POP3" 

system command 

WG#config 

WG(config)#system 

Effect 

Enters system parameter configuration mode, at 

which point you can enter system-specific 


Arguments 


See Also 

For more information about “system” mode 

commands, see “Level 2 System Configuration 


trace command 

WG#config 

WG(config)#trace [ike ] #level=1-6 

[cmm ] 

[ nm ] 

[pmm ] 

[ ha ] 



Effect 

Runs a trace for the specified object. 

Arguments 


tenant command 

WG#config 

WG(config)#tenant 

Effect 

Enters the tenant configuration mode, at which 

point you can record a new tenant entry for either a 

VLAN or user-domain tenant. 

Arguments 

None in this level. 

See Also 

See “Level 2 tenant configuration commands” on 

page 119 for more information about the next level 

of tenant commands. 

tunnel_switch command 

WG#config 

WG(config)#tunnel_switch 

Effect 

Enables (or disables) the tunnel switching 

capability of this WatchGuard appliance, according 

to the specific argument. (Must be done before 

applying specific tunnel-switching security 

policies.) 

Arguments 

 

The default state is “disable”. 

Example 

WG(config)#tunnel_switch enable 



history command 

WG#config 

WG(config)#history 

Effect 

Shows the last 20 commands exercised at this level 

of CLI. Note, too, that you can apply it at any level 

of the CLI. 

For example, you may apply the “history” 

command after extensive policy creation, and see a 

series of 20 commands, starting with “64” and 

ending with “83”–the most recent command 

being listed as 83. 

Arguments 

None 

Example 

WG(config)#history 

Results 

Executed Commands: 

0 ike 

1 address 

2 address "pubs" -host 10.10.99.1 

3 show address pubs 

4 dos 

5 denial 

WG(config)# 

Second level configuration mode commands 

The following sections detail the second-level configuration 

commands, has been divided into “task” or “topical” 

collections, which include the following: 

• “Level 2 certificate configuration commands” on 

page 67 



• “Level 2 High Availability configuration commands” 

on page 72 

• “Level 2 IKE configuration commands” on page 78 

• “Level 2 interface configuration commands” on 

page 82 

• “Level 2 IPSec configuration commands” on page 95 

• “Level 2 license commands (for upgraded or additional 

features)” on page 117 

• “Level 2 Quality of Service (QoS) configuration 

commands” on page 100 

• “Level 2 Remote Access Service (RAS) configuration 

commands” on page 102 

• “Level 2 System Configuration commands” on 

page 107 

• “Level 2 tenant configuration commands” on page 119 

Level 2 certificate configuration commands 

request command (configure certificate level) 

WG#config 

WG(config)#certificate 

WG(config-cert)#request -company 

\ 

[-country] [-department ] 

-dns_name \ 

[-ip_address ] [user_domain 

\ 

] [-key_usage { 

\ 

}] 

Effect 

Generates a VPN certificate request that can be sent 

to a certifying authority. After executing this 

command (with the required arguments), you must 

cut the resulting certificate text and paste it into the 

relevant form: an e-mail message, a Web-site 



request or a text file, that you transmit to the 

proper authority. 

Arguments 

 

This argument notes the host name of this 

appliance (omitting the remainder of the DNS 

entry.) 

-company 

This argument notes the name of your company or 

organization. 

-country 

This argument notes the name (or official 

abbreviation) of your country's name. The default 

is “US”. 

-department 

This optional argument notes the specific 

department name. 

-dns_name 

This argument notes the fully qualified DNS name 

of this appliance. 

-ip_address 

This argument notes the IP address of this 

appliance’s interface 1. 

-user_domain 

This argument notes a user domain name, if any. 

-key_usage { 

} 

This argument notes the key usage particulars, 

including RSA or DSA and the key length in bits. 

This argument also notes your choice of encryption 

or signature (or both.) 

Example 

WG(config-cert)request -cert1 -com 

BigCompany \ 



-cou US -dns RS1.WatchGuard.com -key \ 

{rsa 1024 both} 

If this command is successful, the CLI will prompt 

you to cut and paste the results into the 

appropriate means of submitting this request to the 

authority. 

import command (configure certificate level) 

WG#config 


WG(config-cert)#import 

Effect 

Assists in the importing of the contents of a newlyreceived 

VPN or Web certificate into the 

WatchGuard appliance database. 

To import a certificate, you must open the 

certificate file and copy the text, then paste it into 

the command in the proper location, as shown in 

the following example. 

Arguments 

None. 

Examples 

WG(config-cert)# import 

Results 

On-screen instructions appear, as shown here. 

Paste certificate below, then press 

Enter. 

-----BEGIN CERTIFICATE----- 

MIIC1jCCAj+gAwIBAgIDBJYLMA0GCSqGSIb3DQE 

BBAUAMCgxCzAJBgNVBAYTAlVTMRkwFwYDVQQKEx 

BSYXBpZFN0cmVhbSBJbmMuMB4XDTAxMDIxOTA0M 

jAyNVoXDTAxMDUyMDA0MjAyNVowOzELMAkGA1UE 

BhMCVVMxGTAXBgNVBAoTEFJhcGlkU3RyZWFtQ8D 

CCtvvThQ2ug== 

-----END CERTIFICATE----- 



show command (configure certificate level) 

WG#config 


WG(config-cert)#show [cert_id] 

Effect 

Displays the properties of a specific certificate or a 

certificate request. If no “specific certificate” 

argument is used, this command lists all the 

current certificates and pending certificate 

Arguments 

[cert_id] 

This optional argument records a specific 

certificate ID. 

Examples 

WG(config-cert)# show 

OrdTYPE NAMESubjectCert idKeyAlgo 

1 Pndg cn=a,o=WatchGuard,c=US 

cn=a,o=WatchGuard, 

c=20001 RSA 

2 CA o=WatchGuard Inc.,c=US o=WatchGuard 

Inc., 

c=U 1075246528 RSA 

—OR— 

WG(config-cert)# show 20001 

Pending Certificate 

Name:cn=a,o=rapidstreaym,c=US 

Subject:cn=a,o=rapidstreaym,c=US 

Cert ID:20001 

DNS Name:WatchGuard.com 

Key Algorithm:RSALength: 1024 

Key Usage:both 

Issued by: 

Valid Period:- 

-----BEGIN CERTIFICATE REQUEST----- 

MIIBvzCCASgCAQAwMDELMAkGA1UEBhMCVVMxFTA 

TBgNVBAoTDHJhcGlkc3RyZWF5bTEKMAgGA1UEAx 



MBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCg 

YEAuMih4lNe7UH8+DVTHRD2lTf+tYcCvWbExscA 

hhZd92ipnxdeelulzhhPj8ICcxnFTmVtkx70Dlp 

Sx5Do20rY+BqDgPjasG7wdeQDpT94KmbBYBjYbY 

tX1e1mukxXi546D2JNHYEqQJmTFTNYuono4eUNI 

48LfLJQ5xZVj7cCAwEAAaBPME0GCSqGSIb3DQEJ 

DjFAMD4wCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAo 

GCCsGAQUFCAICMBoGA1UdEQQTMBGCD3JhcGlkc3 

RyZWFtLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBFA 

tGzBt6JIK2SfOUjnFXTYS09N9kKPjYe9SMOgCkg 

K30SbOIcSdWK92liT93XxE+ZXGiqvtCe49YF4lS 

0sqeF9ssFLlK8gOLYalT1K1uJqHkthVJosa06n0 

wLDvFYsJNZ4Y7FayvTVQAp+5zBo+5mkkzsgN3q7 

TlNR5B1zDrFA== 

-----END CERTIFICATE REQUEST----- 

ssl command (configure certificate level) 

WG#config 


WG(config-cert)#ssl 

Effect 

Creates a Web (SSL) certificate request for this 

appliance. After the request is generated, you must 

copy-and-paste the text to a text file and send it to a 

third party CA as part of a formal request for a Web 

certificate. 

Arguments 

 

Use this argument to enter either the IP address or 

host name of this security appliance. 

Example 

WG(config-ssl)# ssl rs101 

Creating certificate request could take 

several minutes. 

Please wait… 

-----BEGIN CERTIFICATE REQUEST----- 

MIIBbTCB1wIBADAQMQ4wDAYDVQQDEwVyczEwMTC 

BnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyr 



3Tg/ 

jHZMiI9MaleoizYygY5rWtipDCUCmop6ZeR/ 

q8uhrhBDjikB6j02CMXQFE6eCWNFqC8CjzHqWY2 

v+IPPoyDBOrfGHl4Icn8/ 

ZZNJIv4lXAeSmhDqSo9tqrUVKlyh/TD/ 

6JF9x2v3GaVNUZEmk5+LTT/iEdCrehhr/ 

YfxECAwEAAaAeBHn/nu1msTyGjzqtP42IzQM/ 

6YTj2uHMGPF/Y8FTYgCE 

-----END CERTIFICATE REQUEST----- 

Level 2 High Availability configuration 

commands 

show command (configure high availability level) 

WG#config 

WG(config)#high_availability 

WG(config-ha)#show 

Effect 

Displays the configuration settings for any High 

Availability ports in this WatchGuard appliance. 

Arguments 

None 


Example 


WG(config-ha)#show 

HA Type: Active_Active 

Primary System Name =2026 

Secondary System Name =2027 

No Shared Secret 

Interfaces Primary IP Mask Secondary IP Mask 

Monitoring 

0: 192.168.104.64 255.255.255.0 192.168.104.65 255.255.255.0 ON 

1: 192.128.134.32 255.255.255.0 192.128.134.33 255.255.255.0 ON 

2: 30.0.0.1 255.0.0.0 30.0.0.8 255.0.0.0 OFF 

3: 40.0.0.1 255.0.0.0 40.0.0.2 255.0.0.0 OFF 

Advanced HA Parameters: HA1:Enabled HA2:Disabled 

Primary 

HA1 IP 1.0.0.1 netmask 255.255.255.0 

HA2 IP 10.10.10.26 netmask 255.255.0.0 

Secondary 

HA1 IP 1.0.0.3 netmask 255.255.255.0 

HA2 IP 10.10.10.27 netmask 255.255.0.0 

HA Status 

HA Role: Primary 

DB Time Stamp: 

Primary: Thu Dec 5 16:38:58 2002 

Secondary: Thu Dec 5 16:38:58 2002 

Status: Primary: ACTIVE Secondary: ACTIVE 



Enable high availability 

WG#config 


WG(config-ha)$ 

[active_standby | active_active] 

[advanced] Enter Advanced 

Setting Mode 

[disable] 

[hotsync] 

[monitor ] 

[ [interface N ip ] | 

[-name systemName2] ] 

[no][shared_secret secret1] 

show show current configuration 

and statistics 

history show command history 

exit go back to parent level 

top go back to root level 

Effect 

Enables high availability in WatchGuard 

appliances with one or more HA interfaces, and 

assists you in entering precise HA system settings. 

Arguments 

active_standby | active_active 

This turns high availability on in either Active/ 

Standby mode or Active/Active mode. For more 

information on these modes, see the Vcontroller 

User Guide. 

advanced 

This enters advanced High Availability 

configuration mode, and shows the following 

prompt: 

WG(config-ha-advanced)$ 



For more information, see “High Availability 

advanced configuration mode” on page 77 

disable 

Disables High Availability. 

hotsync 

Syncs the local appliance with its peer. In Active/ 

Standby mode a hotsync should be performed 

every time the configuration of the Active box is 

changed. In Active/Active mode, a hotsync should 

only be performed during the initial setup, when 

the secondary appliance is in factory default 

configuration. 

monitor {1 & | 2} 

This optional command specifies which interface (1 

or 2) you want this appliance to monitor for link 

status. (Note that the 0 (private) interface is always 

being monitored.) 

[interface N 

ip ] | 

[-name systemName2] ] 

[no][shared_secret secret1] 

ha1_interface \ 

 

This command configures the IP address of the 

HA1 interface of the master and backup 

appliances. 

ha2_interface \ 

 

This command configures the IP address of the 



HA2 interface of the master and backup 

appliances–if needed. 

 

This command will, depending on your use, 

activate or deactivate the HA system. 

polling_interval 

This optional command establishes the HA polling 

interval. The default value is “1 second”, but you 

can increase it to “15” if you choose. 

id 

This optional command notes the VRRP group ID 

for this HA pairing, if one has been assigned to it. 

The number should be between 1 and 255. 

Example 

WG(config-ha)# monitor {pub} poll 

5 

Apply high availability configuration changes 

WG#config 


WG(config-ha)#exit 

Effect 

Initiates the process of saving and applying any 

just-completed HA interface configurations. You 

will be asked to confirm the committing of these 

changes, at which time you can press Y to do so. 

Arguments 

None 

Example 

WG(config-ha)#exit 

Commit (Y/N)?y 

… 

HA IP address is set to 12.10.1.2, 

please wait for it to take effect… 

WG(config-ha)# 



High Availability advanced configuration mode 

WG#config 


WG(config-ha)#advanced 

WG(config-ha-advanced)# 

[action ] 

[ha2 ] 

[primary ip ] 

[secondary | 

] 

show show current 

configuration and statistics 

history show command 

history 

rename rename an object 

exit go back to parent 

level 

top go back to root 

level 

Effect 

Allows you to configure advanced settings for 

High Availability. 

Arguments 

action 

Allows you to manually failover or restart the local 

or peer appliance of the HA pair. The local 

appliance is the one you are connected to, and the 

peer is its HA pair. 

ha2 

Allow you to enable the HA2 port for HA use. 

When this is enabled, and the HA2 ports are 

connected between the two appliances, in addition 



to the HA1 ports, an added level of redundancy is 

insured. 

primary ip 

secondary | 

This allows you to set the IP addresses and 

netmasks for the primary and secondary device’s 

HA ports. 

Example 

WG#config 


WG(config-ha)#advanced 

WG(config-ha-advanced)#primary ha1 ip \ 

10.10.10.11|255.255.0.0 \ 

secondary ha1 ip 10.10.10.12 

Level 2 IKE configuration commands 

action command (configure IKE level) 

WG#config 

WG(config)#ike 

WG(config-ike)#action \ 

[no] 

[-natt [-natt_keepalive 

] ] 

[extended_authentication] [+] \ 

-rsa 

{} \ 

-dss {} \ 

-preshared 

{


Arguments 

 

Enter the name of this action prior to recording the 

arguments. 

 

This argument specifies your choice of mode. 

[-natt [-natt_keepalive 

]] 

-natt enables or disables NAT Traversal (UDP 

encapsulation). 

-natt_keepalive allows you to specify the time 

in seconds between keep-alive messages. 

[extended_authentication] 

This argument, when present, activates extended 

authentication, used for remote access connection 

requests. 

-rsa 

{} 

This argument and its values detail the RSA IKE 

transform. 

-dss { \ 

&| lifesize[KB|MB]>} 

This argument and its values detail the DSS IKE 

transform. 

-preshared { 

\ 

} 

This argument and its values specify the preshared 

key IKE transform. In all of the three 



preceding arguments, the following values are 

options you can apply: 

Option Description 

g1 and g2 the two Diffie-Hellman group options. 

des|3des represent two encryption algorithm options. 

md5|sha represent two other encryption algorithm options. 

Lifetimeminutes/hours 

represent a key lifetime setting, measured in time. 

Lifesize-KB/MB represent a key lifetime, measured in kilo- or 

megabytes. 

Example 

WG(config-ike)#action my_act -main \ 

(line break) 

–rsa {g2 3des md5 10hr 100MB} {g1 des 

sha 45min} \ 

–dss {g2 3des sha 8hr} 

policy command (configure IKE level) 

WG#config 

WG(config)#ike 

WG(config-ike)#policy \ 

-action 

\ 

-peer \ 

[-local 

{} [-preshared ] 

\ 

[-position ] 

Effect 

Records a new IKE policy, including actions. 



Arguments 

 

This argument records a brief, descriptive name for 

this policy. 

< * |peer_address> 

This argument notes either “any” (indicated by *) 

or the address group representing the peer 

appliance(s). 

-action 

This argument notes the name of the IKE action 

used by this policy. 

-peer | -address &| - 

domain \ 

&| -user_domain 

&| -X.500 \ 

0] 

This argument specifies the means of identifying 

the peer appliance from these five options. You can 

enter “any” as the sole option or combine any of 

these options (and values) in this argument: 


represents an address group used as peer ID type. 

represents a domain name as the peer ID type. 

represents a user domain name as the peer ID 

type. 

represents X.500 as the peer ID type. 

[-local { This optional argument specifies which ID 

}] for -peer, as noted above. 

[-preshared This optional argument records the text of 




] this policy. You must enter the actual key text as 

either ASCII text or hexadecimal notation. 

[-position This argument records the numeric 

] position assigned to this policy in the IKE policy 

table. 

Example 

WG(config-ike)#policy "Remote Users" * - 

action \ 

remote_users -peer -domain 

WatchGuard.com \ 

-user_domain WatchGuard.com -local 

{20001 domain} 

WG(config-ike)#policy IKE_NY_SJ 

NY_Gateway \ 

-action psk_main -peer any -preshared \ 

"secret" 

Level 2 interface configuration commands 

Enter system interface configuration mode 

WG#config 


Effect 

Enters the system interface configuration mode. 

Arguments 

None. Please review the rest of this section for 

related commands. 

show command (configure interface level) 

WG#config 


WG(config-if)#show 



Effect 

Displays the current network address settings for 

each of the main security appliance data 

interfaces–0 (private), 1 (public) or 2 (DMZ, where 

applicable.) 

Arguments 

None. 

Example 

WG(config-if)# show 

The results appear as shown in this example: 

interface 0: ip = 10.10.13.101 

net 

mask = 255.255.0.0 

status = UP 

mac 

address = 00:01:21:10 

:01:e5 

interface 1: ip = 16.10.203.121 

net 

mask = 255.255.255.0 

status = DOWN 

mac 

address = 00:01:21:10 

:01:e6 

interface 2: ip = 10.20.0.1 

net 

mask = 255.255.255.0 

status = DOWN 

mac 

address = 00:01:21:10 

:01:e7 

interface 0 command (configure interface level) 

WG#config 


WG(config-if)#interface 0 [ [-mtu 

num] 

[-100_full_duplex | - 

100_half_duplex| 



-10_full_duplex|-10_half_duplex 

| -auto]] | 

[[no] dhcp_server -clients num [-lease_time num 

[hours|days]]] 

[dhcp_relay ] 

# -lease_time default is 7 days 

Effect 

Use this command to configure the network 

identity of a WatchGuard appliance's interface 0 

(Private). 

Arguments 

 

This argument records the IP address assigned to 

this interface. 

 

This argument records the number of bits in the 

subnet mask (for example, “/16” is equivalent to 

the address 255.255.0.0), or the actual subnet mask 

address. 

-mtu num 

This allows you to set the size of the Maximum 

Transmission Unit (MTU). The default is 1500 

bytes. 

[-100_full_duplex | -100_half_duplex| 

-10_full_duplex|-10_half_duplex | - 

auto]] | 

This setting allows you to specify the speed at 

which the interface will operate. 

[[no] dhcp_server -clients num [lease_time 

num [hours|days]]] 

This allows you to active the DHCP server service 

on this interface, and specify information for it, 

including the number of clients allowed DHCP 

access, and the leasing time for a DHCP address. 

The lease time default is 7 days. 



Put “no” in front of this command to turn off the 

DHCP server on this interface. 

[dhcp_relay ] 

This allows you to use a separate DHCP server on 

your network to serve DHCP addresses, with the 

Vclass acting as a DHCP agent. 

Example 

WG(config-if)#interface 0 10.12.12.7 

255.255.255.0 \ 

-mtu 1500 -100_half_duplex no 

dhcp_server 

or 

WG(config-if)#interface 0 10.12.12.7/24 -mtu 

1500 \ 

-100_half_duplex no dhcp_server 

or 


1500 \ 

-100_half_duplex dhcp_relay 

10.0.0.253 

private command (configure interface level, V10 

only) 

WG#config 


WG(config-if)#private 

[no] dhcp_server -clients NUMBER [lease_time 

NUMBER] 

Effect 

Use this command to configure DHCP server 

options assigned to a WatchGuard V10 appliance's 

Private (0) interface. 



Arguments 

 



 


subnet mask, or the subnet mask. 

dhcp_server 

Enter this argument to activate DHCP server 

service on this appliance. 

-clients NUMBER 

This argument indicates the number of clients 

permitted DHCP access. 

-lease_time NUMBER 

This argument indicates the lease time for all client 

connections, and any limitations, recorded as 

minutes. 

[no] dhcp_server 

Enter this argument to disable any previously 

active DHCP service. 

Example 

WG(config-if)#private 192.168.1.1 255.255.255.0 

dhcp_server \ 

-clients 3 -lease_time 60 

interface 1 command (configure interface level) 

WG#config 


WG(config-if)# interface 1 [ | 

[-mtu num] | 


-10_full_duplex|-10_half_duplex | -auto]] | 

[dhcp [host_id]] | 

[pppoe -user "name" -password "password" 

[ ]] 

[-unnumbered_pppoe |disable]] 

[backup [ip mask gateway ]| 

[dhcp [host_id] ] | 

[pppoe -user "name" -password "password"] 



[-unnumbered_pppoe |disable]] | 

[disable] | 

[switch_to_backup] | 

[tracking -remove|-add 

-interval 

-timeout 

-pause_before_failback ] ] 

#num is either auto reconnect delay in seconds. 

#or if dial_on_demand, the idle timeout in minutes. 

#ex: inter 1 pppoe -use u1 -pas xxxxx -dial 20 

#backup PPPoE connection only supports ALWAYS_ON. 

Effect 


identity of a WatchGuard appliance’s interface 1 

(Public), if it is a publicly routable, fixed IP address. 

Arguments 

 



 




address. 

[-mtu num] 



bytes. 



auto]] | 



[dhcp ["host_id"]] | 

This allows you to obtain the IP address of 

interface 1 using DHCP. 

[pppoe -user "name" -password 

"password"] 

This allows you to set Interface 1 to PPPoE. If the 



password contains the pound (#) character, it 

needs to be placed in double quotes. 

[ 

This allows you to set PPPoE to Dial-on-Demand or 

Always On mode. The function of following 

this option differs in each mode. For Dial-on- 

Demand mode, this number indicates the inactivity 

timeout interval in minutes (default is 20 minutes). 

For Always On mode, this number indicates the 

auto-reconnect interval in seconds (default is 60 

seconds). 

[-unnumbered_pppoe |disable]] 

This option allows you to use unnumbered PPPoE. 

For more information on unnumbered links, see 

RFC 1812 section 2.2.7. 

[backup [ip mask 

gateway ] | [dhcp [host_id] ] 

| [pppoe -user "name" -password 

"password"] 

[unnumbered_pppoe |disable] 

[disable] 

[switch_to_backup] 

This allows you to enable a Backup WAN 

connection for Interface 1, for systems that have 

unreliable ISPs or network providers. You can 

configure the failover connection as static, by 

typing the IP address, netmask, and gateway. You 

can configure the failover connection as DHCP 

using the [dhcp ["host_id"]] syntax. You can 

configure the interface as PPPoE (always on) using 

the [pppoe -user "name" -password 

"password"] syntax. You can configure the 

backup WAN connection as unnumbered PPPoE 

using the syntax [unnumbered_pppoe 

|disable]. 

You can disable the backup connection by using the 

option [disable]. 



You can switch to the backup connection using the 

command switch_to_backup. 

[tracking -remove|-add 

-interval 

-timeout 

-pause_before_failback 

] ] 

For systems that configure a Backup WAN 

connection using the failover command, these 

settings must be specified. You can add up to three 

IP addresses that are used to determine WAN 

failure. These addresses are used with the 

-interval and -timeout values to determine 

when the WAN connection has failed. 

-interval determines the amount of time that 

elapses between attempts to ping all three specified 

tracking addresses. -timeout determines the 

amount of time that can elapse before a ping 

attempt is considered failed. All three specified IP 

addresses must fail to respond to the ping attempt 

within the specified time to consider the WAN 

connection failed. 

In the event of failure, the WAN is switched over to 

the backup connection. This causes a brief 

interruption in processing while the system 

restarts. In order to prevent frequent restarts, the 

final parameter, -pause_before_failback, is 

provided. This allows you to specify the amount of 

time that must elapse between failovers. 



Example 

WG(config-if)#interface 1 10.10.12.8\ 

255.255.0.0 -mtu 1500\ 

-10_full_duplex 

or 

WG(config-if)#interface 1 10.10.12.8/16 

-mtu 1500 -10_full_duplex 

Example (PPPoE) 

WG(config-if)#interface 1 pppoe\ 

-user joeuser -password joepass\ 

-always_on 60 

Example (DHCP) 

WG(config-if)#interface 1 dhcp dhcpsrvr 

Example (Backup Connection) 


255.255.0.0 -mtu auto\ 

-backup ip 10.10.24.16 mask 255.255.0.0\ 

gateway 10.100.99.1 tracking -add 

124.12.15.16 

interface 2 (DMZ) command (configure interface 

level) 

WG#config 


WG(config-if)#interface 2 

[-mtu num] 



-10_full_duplex|- 

10_half_duplex | -auto] 

Effect 


identity of a WatchGuard appliance's interface 2 

(DMZ), where applicable. 


Arguments 

 




 




address. 

-mtu num 



bytes. 



auto]] | 



Example 


255.255.255.0 \ 

-mtu 1500 -10_full_duplex 

or 


1500 \ 

-10_full_duplex 

interface 3 (DMZ2) command (configure interface 

level, V60 and V80 only) 

WG#config 


WG(config-if)#interface 3 

[-mtu num] 





-10_full_duplex|- 

10_half_duplex | -auto] 

Effect 


identity of a WatchGuard appliance's interface 3, 

where applicable. 

Arguments 

 



 




address. 

-mtu num 



bytes. 



auto]] | 



Example 


255.255.255.0 \ 

-mtu 1500 -auto 

or 


1500 \ 

-auto 



ha1 command (configure interface level) 

WG#config 


WG(config-if)#ha1 

Effect 


identity of a WatchGuard appliance's High 

Availability 1 interface, when this interface is used 

for management access instead of H-A 

functionality. 

Arguments 

 



 



Example 

WG(config-if)#ha1 10.0.0.1 

255.255.255.0 

or 

WG(config-if)#ha1 10.0.0.1/24 

ha2 command (configure interface level) 

WG#config 


WG(config-if)#ha2 

Effect 


identity of a WatchGuard appliance's High 

Availability 2 interface, when this interface is used 

for management access instead of H-A 

functionality. 



Arguments 

 



 



Example 

WG(config-if)#ha2 10.0.0.1 

255.255.255.0 

or 

WG(config-if)#ha2 10.0.0.1/24 

mode command 

WG(config-if)# mode router | 

transparent 

Effect 

Use to switch the appliance between Router mode 

and Transparent mode. 

An appliance can only be switched from Router 

mode (default) to Transparent mode when the 

appliance is in the factory default configuration 

state. You are prompted to restore the system to the 

factory default state when you attempt this switch. 

An appliance can be switched from Transparent 

mode to Router mode in any configuration 

condition. 

A restart is required in order to for mode switching 

take effect. 

Arguments 

None 

Example 

WG(config-if)# mode router 



Apply interface address changes to appliance 

WG#config 


WG(config-if)#exit 

Effect 

Use this command to immediately apply any 

interface address changes to this appliance. The 

appliance will update you with status messages (as 

shown below) to inform you about the process. 

Arguments 

None 

Example 

WG(config-if)# exit 

Commit (Y/N)?y 

Results 

… 

interface 1 IP address is set to 

16.10.203.121, 

please wait for it to take effect… 

WG(config)# 

Level 2 IPSec configuration commands 

action command (configure IPSec level) 

WG#config 

WG(config)#ipsec 

WG(config-ipsec)#action \ 

< -tunnel_mode | - 

transport_mode> \ 

-auto_key [no] pfs_group … 

\ 

-manual_key \ 

-esp \ 

 

\ 

-ah \ 

 



Effect 

Records a new IPSec action (manual key or 

automatic key), including one or more proposals 

which have been created beforehand. 

Arguments 

 

Type a unique name for this action. 

 

This argument determines whether this action is 

tunnel mode or transport mode. 

 

If you enter tunnel mode, you must then qualify it 

with one of the following: (1) enter "*" to indicate 

ANY source, (2) enter a specific peer appliance’s IP 

address, or (3) enter the name of an address group 

containing the peer IP address. 

-auto_key 

Enter this argument if this action utilizes an 

automatic key. Do not use the “manual–key” if 

using an automatic key. 

The following two arguments further qualify this 

automatic key exchange. 

[no] pfs_group 

If this action uses an automatic key, use this 

argument to specify which perfect forward security 

option (Diffie-Hellman Group 1 or 2) will be used. 

If none is used, you can preface this argument with 

“no”. 

[…] 

If this action uses an automatic key, use this 

argument to enter the IKE proposal names 

(whether one or more.) 

-manual_key 

Enter this argument if this action employs a 

manual key. (If doing so, do not use the “auto_key” 

argument.) The following ten arguments (grouped 



around ESP and AH algorithms) qualify this 

manual key exchange. 

-esp 

Enter this argument if this action employs an ESP 

protocol for the manual key. 

 

Use this argument to enter a unique number that 

represents the SPI of this appliance. The number 

should be between 256 and 65535. 

 

Use this argument to enter a different, unique 

number that represents the SPI of the peer security 

appliance. The number should be between 256 and 

65535. 

 

Use this argument to pick either DES or 3DES 

encryption algorithms. 

 

This argument will contain the actual manual key 

text, noted in ASCII or hexadecimal notation. 

-ah 

Enter this argument if this action employs an AH 

protocol for the manual key. 

 

Use this argument to enter a unique number that 

represents the SPI of this appliance. The number 

should be between 256 and 65535. 

 

Use this argument to enter a different, unique 

number that represents the SPI of the peer security 



appliance. The number should be between 256 and 

65535. 

 

Use this argument to pick either MD5 or SHA 

encryption algorithms. 

 

This argument will contain the actual manual key 

text, noted in ASCII or hexadecimal notation. 

Example 

WG(config-ipsec)# action NY_IPSec - 

tunnel \ 

NY_Gateway -auto no pfs_group 

MAX_SECURITY \ 

ESP-3DES 

# This command creates an auto-key IPSec action with 

peer tunnel. The IP is NY_Gateway, no PFS, the first 

proposal is MAX_SECURITY and the second is 

ESP_3DES. 

WG(config-ipsec)# action 

remote_user_ipsec \ 

-tunnel * -auto pfs_group 1 ESP-3DES-MD5 

\ 

ESP-DES-MD5 

# This command creates a tunnel mode, auto-key IPSec 

action for remote users. The peer tunnel IP is * 

(ANY),PFS uses DH group 1, and there are two 

proposals: ESP-3DES-MD5 and ESP-DES-MD5. 

WG(config-ipsec)# action SJ_Man -tunnel 

\ 

102.39.45.28 -man -esp 256 982 3des 

mankey 

# This command results in a tunnel-mode, manual-key 

IPSec action with a peer tunnel IP address of 

102.39.45.28. It uses ESP-3DES (local SPI is 256, peer 

SPI is 982) and the key text is “mankey”. 



proposal command (configure IPSec level) 

WG#config 

WG(config)#ipsec 

WG(config-ipsec)#proposal [+] \ 

[-antireplay_window [0|32|64]] \ 

-esp {} \ 

-ah {}… 

Effect 

Creates or modifies an IPSec proposal that can then 

be incorporated into IPSec actions (which can then 

be added to security policies.) 

Arguments 

 

This argument notes the name assigned to this new 

proposal. 

-antireplay_window 

This argument (and the required value) sets the 

anti-replay window size. 

-esp { [md5|sha] } 

If you want to include an ESP transform in this 

proposal, type this argument, plus the necessary 

values–algorithm, life size, life time. 

-ah { } 

If you want to include an AH transform in this 

proposal, type this argument, plus the necessary 

values–algorithm, life size, life time. 

+ 

Type this character before entering a new 

transform that will be added to an existing IPSec 

proposal. 



Examples 

WG(config-ipsec)#proposal "new_prop1" - 

antireplay \ 

32 -esp {3des md5 10hrs} {des md5 5hr 

10MB -ah \ 

{sha 34min 100MB} 

# This example shows the creation of a 

new proposal. 

WG(config-ipsec)# prop my_proposal + -ah 

\ 

{ sha 8hr } 

# This example shows the addition of a new AH 

transform to an existing proposal. 

Level 2 Quality of Service (QoS) 

configuration commands 

action command (configure Quality of Service level) 

WG#config 

WG(config)#qos 

WG(config-qos)#action - 

bandwidth_weight \ 

 

Effect 

Records a new QoS action or modifies an existing 

action. 

Arguments 

 

This argument, immediately following the 

command, notes the name assigned to this new 

QoS action. 

-bandwidth_weight 

This argument (and the required value) determine 

the level of QoS based on the WFQ algorithm. 



Examples 

WG(config-qos)#action high_QoS - 

bandwidth 25 

WG(config-qos)#action mid_QoS - 

bandwidth 5 

Enable or disable port shaping for interface 0 or 1 

WG#config 

WG(config)#qos 

WG(config-qos)#system [ \ 

] [enable|disable] 

Effect 

Enables (or disables) port shaping for either the 

interface 0 (private) or interface 1 (public) of a 

WatchGuard appliance, and enters the general QoS 

value for that interface. The value entered will be 

the sending throughput of that interface. To enable 

a system port-shaping action, the appliance will 

automatically restart in order to apply the policy. 

Arguments 

 

Use this argument to enter one of these interfaces. 

 

Use this argument to enter one option – Kbps or 

Mbps – plus the appropriate number value. 

 

Use this argument to enter one of these options. 

Example 

WG(config-qos)#system interface 1 10Mbps 

enable 

# This example shows a policy that restricts outputthroughput 

of the Public interface to 10 megabits per 

second. 



Level 2 Remote Access Service (RAS) 

configuration commands 

group_profile command (configure RAS level) 

WG#config 


WG(config-ras)#group_profile \ 

[no][-address_pool ] \ 

[-dns ] [-session_time_out 

] \ 

[-idle_time_out ] \ 

[-concurrent_logins_per_user ] 

Effect 

Creates a new RAS group profile (or modifies an 

existing profile) that controls the connection 

parameters of all associated remote access user 

accounts. 

Arguments 

 

This argument records a name for this group 

profile, which will be used when creating 

individual user profile accounts. 

[no] [-address_pool ] 

This argument specifies the name of an address 

group containing a pool of internal IP addresses 

assigned to remote access connections. 

[-dns ] 

This argument assigns a DNS IP address to the 

remote users belong to this group. 

[-session_time_out ] 

This argument limits the total time any one account 

user can continuously log into the network. The 

default time limit is 8 (hours). 

[-idle_time_out ] 

This argument sets the time limit for an inactive 



connection before it is automatically broken. The 

default is 15 (minutes.) 

[-concurrent_logins_per_user ] 

This argument specifies the number of concurrent 

connections a user can establish. The default is 1. 

Example 

WG(config-ras)#group consultants – 

address sjnet10 \ 

-dns 134.12.33.2 -session 2 hr -idle 5 

min –con 1 

user_profile command (configure RAS level) 

WG#config 


WG(config-ras)#user_profile \ 

[enable|disable] \ 

[-password "password"] \ 

[-full_name ] \ 

[-group_profile "profile_name"] \ 

[-pw_expiry ] \ 

[-account_expiry ] \ 

[-concurrent_logins ] 

Effect 

Enters a new remote access user account (or 

modifies an existing account) in an internal 

database in the WatchGuard appliance. 

Arguments 

 

This argument records the login ID used by this 

remote user account, and should be between 1-15 

characters in length. 

 

This argument activates (or deactivates) this 

account. The default state is “enable”. 

 

This argument records the initial password first 



used by this account, and should be between 6 and 

8 characters in length. 

[-full_name ] 

This argument notes the full name of the user, up to 

15 characters in length. 

[-group_profile “profile_name”] 

This argument specifies which user group profile 

affects this user account. The default choice is 

“default setting”. 

[-pw_expiry ] 

This argument sets the number of days until the 

user’s password expires. The default is 90 days. 

[-account_expiry ] 

This argument sets the number of days until this 

account expires. The default lifetime is 180 days. 

[-concurrent_logins ] 

This argument limits the number of concurrent 

connections this account user can establish. The 

default is 1. 

Example 

WG(config-ras)#user enable jdoe \ 

-password jdsecret -full "John Doe" \ 

-group admGroup -pw_expiry 60 -account 

60 \ 

-concurrent 1 

Results 

To review and confirm your entries, type this 

command: 

WG(config-ras)#show user jdoe 

The results are displayed, similar to this example: 

User Profile| 

Name = jdoe 

Full Name = "John Doe" 

Enabled 

Description = "" 

User Group Profile = admGroup 



Password Expiresat Sat May 19 15:40:40 2001 

Password Epiry = 60 Days 

Account Expiresat Sat May 19 15:40:40 2001 

Account Epiry = 60 Days 

Concurrent Logins = 1 

database command (configure RAS level) 

WG#config 


WG(config-ras)#database 

Effect 

Establishes whether the authentication database is 

stored on the RADIUS server or in this 

WatchGuard Firebox Vclass security appliance, 

then notes the parameters of this database. 

Arguments 

-internal 

This argument specifies the use of an internal 

database within the WatchGuard appliance, for 

RAS user authentication. 

-radius 

This argument specifies the use of a RADIUS 

server as the host for a RAS user authentication 

database. 

If you “-radius”, enter the following 

arguments: 

 

This argument specifies whether the primary or 

backup RADIUS server is currently being 

configured. You’ll need to enter this command two 



times, to configure a primary and a backup server 

connection. 

If you want to delete the configuration entries for a 

backup RADIUS server, enter the “no backup” 

argument. 

-ip 

This argument establishes the IP address of the 

RADIUS server that will be used. 

-secret 

This argument records the secret password 

allowing this appliance to contact the database in 

the RADIUS server. 

[-authentication ] 

This argument establishes which authentication is 

being used; PAP or SecurID. 

[-port ] 

This optional argument records the RADIUS server 

port number, if needed. 

[-user_group ] 

This optional argument specifies the name of a user 

group profile used by RADIUS users. Be sure to 

use the “user_group_profile” command to control 

session time and idle timeout for RADIUS users. 

Examples 

WG(config-ras)#database -radius primary 

\ 

-ip 12.10.1.2 -sec confidential \ 

-auth secure_id -user_group 

exec_staff 

WG(config-ras)#database - 

internal 

WG(config-ras)#database -radius backup 

\ 

-ip 12.10.1.3 \ 

-sec confidential 



Level 2 System Configuration commands 


dns “dns command (configure system level)” on 

page 108 

cpm “cpm command (configure system level)” on 

page 108 

fwuser “fwuser command (configure system level)” 

on page 109 

icmp_error_handling “icmp_error_handling command (configure 

system level)” on page 110 

interface “interface command (configure system level)” 

on page 110 

ldap “ldap command (configure system level)” on 

page 110 

log “log command (configure system level)” on 

page 111 

mss_adjustment “mss_adjustment” on page 112 

ntp “ntp command (configure system level)” on 

page 113 

route “route command (configure system level)” on 

page 113 

snmp “snmp command (configure system level)” on 

page 114 

sysinfo “sysinfo command (configure system level)” 

on page 115 

tcp_sync_checking “tcp_syn_checking” on page 116 

vlan_forwarding “vlan_forwarding command (configure system 

level)” on page 116 

vpn “vpn command (configure system level)” on 

page 117 

no “No command” on page 143 

show “Show command” on page 144 




history “history command” on page 14 

rename “Rename command” on page 143 

exit “exit command” on page 14 

top “top command” on page 15 

dns command (configure system level) 

WG#config 


WG(config-sys)# [no] dns \ 

-server [a.b.c.d] 

Effect 

Records the domain names and IP addresses of all 

relevant domain name servers. 

Argument 

no 

This argument (when entered before the ldap 

command prompt) deactivates this LDAP 

connection. 

 

This argument records the domain name of this 

security appliance. 

 

This argument records the IP address of the DNS 

server. 

Example 

WG(config)#dns my_company.com \ 

-server 24.12.2.1 

cpm command (configure system level) 

WG#config 

WG(config)#cpm 



Effect 

Enables this appliance to be managed by means of 

the WatchGuard Centralized Policy Manager 

(CPM). You can also use this command to disable 

CPM as needed. If enabling CPM access, be sure to 

enter the CPM-access password immediately 

following the “enable” argument. 

Arguments 

enable 

Enter this argument to activate WatchGuard CPM 

access to this WatchGuard appliance. 

 

Enter the text of the CPM access password after 

“enable”. 

disable 

Enter this argument if you have already 

established CPM access and want to disable the 

connection. 

Example 

WG(config)#cpm enable 

cpm_admit_1 

fwuser command (configure system level) 

WG#config 

WG(config)#system 

WG(config-sys)#fwuser -t 

[seconds|minutes] 

Effect 

Allows you to change the value for a firewall user 

connection idle timeout. The system default is two 

hours, and the default increment is "seconds". 

Argument 

-t [seconds|minutes] 



icmp_error_handling command (configure system 

level) 

WG#config 


WG(config-sys)#icmp_error_handling [all]| 

[[no] fragmentation_required] 

[[no] host_unreachable] 

[[no] time_exceeded] 

[[no] port_unreachable] 

[[no] network_unreachable] 

Effect 

Allows you to turn on ICMP error handling for all 

events, or just for the events you specify. 

interface command (configure system level) 

WG#config 


Effect 

Enters the interface configuration mode, at which 

point you can enter interface-specific commands 

and their arguments. 

Arguments 


See Also 

For more information on interface configuration 

mode, see “Level 2 interface configuration 


ldap command (configure system level) 

WG#config 


WG(config-sys)#[no] ldap 

\ 

[port_number] 



Effect 

Activates (or deactivates) a network connection to 

an LDAP server that this security appliance would 

use to look up certificate revocation lists during 

IKE key negotiations. 

Arguments 

no 

This argument (when entered before the ldap 

command prompt) deactivates this LDAP 

connection. 

[port-number] 

This argument notes the pertinent IP address and 

LDAP server port number. You can enter either an 

IP address or a domain name, and, if the LDAP 

server port number is other than “389”, you must 

enter it. 

To enter a host name, you must first record the 

DNS server connection, as noted elsewhere in this 

Guide. 

Example 

WG(config-sys)#ldap 207.124.35.3 

189 

log command (configure system level) 

WG#config 


WG(config-sys)#log 

Effect 

Enters the log configuration mode, at which point 

you can enter log file-specific commands and their 

arguments. 

Arguments 

None in this mode. For more information about 

“log” mode commands, see “Level 3 log 




mss_adjustment 

WG#config 


WG(config-system)#mss_adjustment 

mss_adjustment [auto| limit_to | disable] 

## limit_to range - 40-1460 bytes 

Effect 

Sets the TCP Maximum Segment Size for the 

system. This feature works in conjunction with the 

MTU settings to limit the size of packets, if 

configured. This feature overcomes the following 

problems: 

- Oversized packets can result in fragmentation, 

degrading VPN performance. 

- Proxies may require MSS adjustment to prevent 

fragmentation. 

- Some older systems do not support MTU to 

regulate packet size. This feature works along 

with MTU; it does not replace MTU. 

Arguments 

auto 

Auto adjustment calculates the MSS automatically, 

using the following calculations: 

Determines the lesser value of the input port MTU 

and the output port MTU. Subtracts packet 

overhead, including IP and TCP addressing, 

VLAN, ESP, PPPoE, AH, and UDP encapsulation. 

The result is then rounded down to the next lower 

multiple of 8 bits (8-bit aligned) to determine the 

size in bytes that is required for packet 



transmission. The results of this calculation are 

used as the MSS for the connection. 

limit_to 

This limits MSS to the specified size in bytes. You 

can specify a value between 40—1640 bytes. 

disable 

This specifies that no change be made to the TCP 

header. If you select this option, packets may 

fragment. 

Example 

WG#config 


WG(config-system)#mss_adjustment limit_to 1400 

ntp command (configure system level) 

WG#config 


WG(config-sys)#ntp 

Effect 

Discuss effects 

Arguments 

Describe arguments. 

route command (configure system level) 

WG#config 


WG(config-sys)#route 

Effect 

Enters the system route configuration mode, at 

which point you can enter route-specific 


Arguments 




See Also 

For more information about route mode 

commands, see “Level 3 route configuration 


snmp command (configure system level) 

WG#config 


WG(config-sys)#snmp [a.b.c.d] \ 

[-community][-trap|-no_trap] 

Effect 

Records network connection data for all relevant 

SNMP management workstations that will receive 

traps generated by this security appliance. 

Arguments 

no 

This argument, if entered before the “snmp” 

command prompt, removes/deactivates all 

recorded SNMP stations. 

 

This argument records the IP address for a specific 

SNMP workstation. 

-community 

This argument records the community string. 

[-trap|-no-trap] 

This optional argument activates (or deactivates) 

the SNMP trap settings. 

Example 

WG(config-sys)#snmp 128.13.44.2 \ 

-community 66gHf4D -trap 

Results 

To view the results, type this command: 

WG(config-sys)#show snmp 



sysinfo command (configure system level) 

WG#config 


WG(config-system)#sysinfo 

Effect 

Applies new system information to an existing 

security appliance, including appliance name, 

contact name and actual location of the appliance. 

Arguments 

-name 

Use this argument to record the DNS name of this 

security appliance – without the rest of the DNS 

entry. 

-location 

Use this argument to record the geographic 

location of this appliance. 

-contact 

Use this argument to record the name of the 

administrator. 

-time 

Use this argument to set the system 

time. 

-date 

Use this argument to set the system date. 

Example 

WG(config-sys)#sysinfo -name mucho \ 

-loc "Lot 49" \ 

-contact "O. Maas" 

-time 14:42:05 

-date 10:15:02 



To review and confirm your entries, type this 

command: 

WG(config-sys)#show sysinfo 

The complete results will appear as suggested here 

(in eight lines): 

tcp_syn_checking 

System name=mucho 

System contact=O. Maas 

System location=Lot 49 

Version=4.0 

SerialNum= 

WG#config 


WG(config-system)#tcp_syn_checking 

 

Effect 

This enables or disables TCP SYN checking. 

vlan_forwarding command (configure system level) 

WG#config 


WG(config-sys)#vlan_forwarding 

[enable|disable] 

Effect 

Allows you to enable (or disable) the system-wide 

VLAN forwarding capability. 

Argument 

enable 

Turns on VLAN forwarding. 

disable 

Turns off VLAN forwarding (if it is active). 



vpn command (configure system level) 

WG#config 


WG(config-system)#vpn [[no] 

ignore_DF_for_IPSec] [[no] 

IPSec_pass_through] 

Effect 

This allows you to set options for VPN. 

Arguments 

[no] ignore_DF_for_IPSec 

This enables fragments of large packets through 

the VPN tunnel. If you set this feature, the 

appliance ignores the don't fragment (DF) rule. 

[no] IPSec_pass_through 

This allows IPSec pass-through. 

Level 2 license commands (for upgraded or 

additional features) 

Import command (config license level) 

WG#config 

WG(config)#license 

WG(config-license)#import 

Effect 

Imports a new license that upgrades or adds 

functionality to the appliance. 

Arguments 

None 

active_feature command (config license level) 

WG#config 


WG(config-license)#active_feature 



Effect 

Lists all currently active extra features (obtained 

through licensing). 

Arguments 

None 

delete command (config license level) 

WG#config 


WG(config-license)#delete 

Effect 

Removes the named license from the appliance. 

Arguments 

 

This argument records the exact ID for a license to 

delete. 

Example 

None 

show command (config license level) 

WG#config 


WG(config-license)#show 

Effect 

Displays a summary of the named license or lists 

all available licenses. 

Arguments 

None 

This will list all available licenses. 

 

This argument notes an ID for the license and will 

list the details of that license. 



Example 

WG#config 


WG(config-license)#show 

OrdLicense NameLicense IDExpiration 

Date 

1V80_3DES_HA_Bundle3293MXLD17-05-2022 

or 

WG#config 


WG(config-license)#show 3293MXLD 

License Name:V80_3DES_HA_Bundle 

License ID:3293MXLD 

Feature(s):HA 

3DES 

UPGRADE 

Expiration Date:17-05-2022 

Level 2 tenant configuration commands 

vlan command (configure tenant level) 

WG#config 

WG(config)#tenant 

WG(config-tenant)#vlan 

[-interface ] 

[-ip a.b.c.d/e] [-gateway a.b.c.d] 

[-public 

# valid vlan -id range (1-4094) 

# -ip a.b.c.d/e if specified, the IP address/mask 

assigned for 

# interface 0|2|3 (default is 0) of tenant 

# e.g.> vlan v1 -id 3 -interface 0 -gate 10.1.0.1 

Effect 

Records a new VLAN tenant entry, along with the 

appliance interface that VLAN tenant traffic will be 

expected to use. 



Arguments 

 

This argument records the name assigned to this 

VLAN tenant (for use in security policies.) 

 

This argument record the VLAN ID as "id" 

followed by the number (between 1 and 4096) 

assigned to this tenant. 

 

This argument specifies which interface (0, 2, or 3) 

this VLAN tenant is associated with. 

[-ip a.b.c.d/e] 

This argument records the IP address and subnet 

assigned to the 0 (private) or 2 (DBZ) interface, if 

one of those are specified. 

[-gateway a.b.c.d] 

This argument notes the gateway IP address for 

this tenant, if needed. 

-public


# valid user domain tenant -id must be from 5001 to 

65535 

# -idle_time_out m Idle timeout. m is the number in 

minutes 

# -radius_timeout sec Time out for radius request 

# -radius_retry n number of retries for radius query 

Effect 

Records a new VLAN-specific tenant entry, along 

with the appliance interface that VLAN tenant 

traffic will be expected to use. 

Arguments 

user_domain 

This argument identifies which type of tenant this 

entry represents. 

 

This argument records the name assigned to this 

VLAN tenant (for use in security policies.) 

 

This is "id" followed by the number (above 5000) 

assigned to this tenant. 

-public


the Radius server, if another than the default port 

number is used. 

 

This argument indicates the Radius password and 

its text. 

[-backup_radius_ip a.b.c.d] \ 

[backup_radius_port NUMBER] 

This pair of arguments allows you to note a backup 

Radius server and its port number, if present. 

Example 

WG(config-tenant)#user_domain 

\ 

-interface 1 192.168.12.34 -id 6666 - 

idle 720 \ 

-radius 12.12.3.144 \ 

-radius_secret "no_admit" 

Level 3 configuration mode commands 

The following section, detailing all the third-level configuration 

commands, has been divided into “task” or “topical” 

collections, which include the following: 

• Route configuration this page 

• Log configuration page 124 

Level 3 route configuration commands 

Configure new static route 

WG#config 



WG(config-route)#static \ 

interface 



Effect 

Configures a new static route utilized by traffic 

passing through this WatchGuard appliance. 

Arguments 

 

Use this argument to record the IP address of the 

destination subnet. 

 

Use this argument to record the number of bits in 

the subnet mask, or the destination subnet mask. 

 

Use this argument to record the IP address of the 

next gateway to the destination subnet. 

interface 

This argument specifies which interface in this 

security appliance is used for outgoing traffic using 

this route. 

delete 

Type this argument before typing the arguments 

for a route, to deactivate that particular route. 

Example 

WG(config-route)#static 0.0.0.0/0 \ 

105.10.74.122 pub 

Configure dynamic routing 

WG#config 



WG(config-route)# [no] dynamic 

[import|restart] 

Effect 

Configures dynamic routing in this WatchGuard 

Firebox Vclass security appliance. 



Arguments 

no 

Enter this argument to deactivate dynamic routing 

altogether. 

[import|restart] 

Use these options to import dynamic routing 

information, or to restart the system. 

Examples 

WG(config-route)#dynamic import 

WG(config-route)#dynamic restart 

Level 3 log configuration commands 

Activate or deactivate traffic log file 

WG#config 



WG(config-log)#traffic 

Effect 

Use this command to activate (or deactivate) a 

traffic log file. 

Arguments 

no 

This argument, when entered before the type of log 

file, will deactivate that log. 

Examples 

WG(config-log)#no traffic 

Configure events log file 

WG#config 



WG(config-log)#event \ 

 

Effect 

Use this command to configure the events log file. 



Arguments 

 

Type one of the above-noted “log level” selections 

after the command prompt, to indicate what to 

include in this events log. If you type “critical”, the 

log will record only critical events, whereas if you 

type “info”, the log will record all of the other 

selections too. 

no 

This argument, when entered before “event”, will 

deactivate the event log. 

Example 

WG(config-log)#event error 

Set up remote log server connection 

WG#config 



WG(config-log)#remote_log_server 

 

Effect 

Use this command to set up a remote log server 

connection. 

Arguments 

 

This argument records the IP address of the remote 

log server. 

Example 

WG(config-log)#remote_log_server 

128.19.3.77 

NOTE 

When exiting “config” mode you may be prompted 

Commit before exit? (Y/N). This prompt is 

displayed if you have made changes but have not committed 

them to the WatchGuard appliance database. Type Y to 

commit your changes and return to the WG# prompt, or type 



N to void the changes and leave the database in its previous 

state. 


CHAPTER 4 Debug Mode 

Commands 




Debug Mode. 

Debugging/troubleshooting commands 

The CLI Debug commands, detailed here, enable the 

use of standard Linux commands such as ping, tcpdump, 

netstat, traceroute, and arp. Most commands 

such as “netstat,” “arp,” “ping,” “tcpdump,” and 

“traceroute” are similar to those provided on UNIX, 

Solaris and Linux systems. You can use these commands 

to troubleshoot network environments. 

Debugging configuration information is not saved 

when the database is backed up or exported to an 

XML profile. Debuggging commands are available 

only for runtime debugging purposes. 


CHAPTER 4: Debug Mode Commands 

Debugging information is not synced between HA appliances. 


arp See “arp command” on page 129. 

clear_logs See “clear_logs” on page 129. 

config_http See “config_http command” on page 129. 

conn_idle_timeout See “conn_idle_timeout command” on page 130. 

ha_instant_sync See “ha_instant_sync command” on page 130. 

hwdiag See “hwdiag command” on page 131. 

ifconfig See “ifconfig command” on page 131. 

importscreen See “importscreen command” on page 132. 

kernel_debug See “kernel_debug command” on page 133. 

netstat See “netstat command” on page 134. 

ping See “ping command” on page 134. 

pppoe_config See “pppoe_config command” on page 135. 

radius_ping See “radius_ping command” on page 135. 

rcinfo See “rcinfo command” on page 137. 

reboot See “reboot command” on page 137. 

rs_kdiag See “rs_kdiag command” on page 138. 

set_dos_if See “set_dos_if command” on page 139. 

slink See “slink command” on page 139. 

tcpdump See “tcpdump command” on page 140. 

traceroute See “traceroute command” on page 140. 

verbose_trace See “verbose_trace command” on page 141. 

vinstall See “vinstall command” on page 141. 

show See “Show command” on page 144. 

history See “history command” on page 14. 

exit See “exit command” on page 14. 

top See “top command” on page 15. 


arp command 


WG#debug 

WG(debug)#arp 

Effect 

Displays or manipulates the ARP cache. 

Arguments 

None 

Example 

WG(debug)#arp 

clear_logs 

WG#debug 

WG(debug)#clear_logs 

Effect 

Clear all log entries. 

Argument 

None 

config_http command 

WG#debug 

WG(debug)#config_http [enable | disable | logon_html [ standard | alternate ] ] 

enable Enable HTTPd 

disable Disable HTTPd 

logon_html standard Use default logon HTML page. 

logon_html alternate Use alternate logon HTML page. 

Effect 

Allows you to enable and disable debugging for 

HTTP. 



Arguments 

enable 

Enables HTTP debugging. 

disable 

Disables HTTP debugging. 

logon_html [standard | alternate ] 

Standard allows you to use the deault HTML logon 

debugging page. Alternate allows you to use the 

alternate HTML logon page. 

Example 

WG#debug 

WG(debug)#config_http enable logon_html 

alternate 

conn_idle_timeout command 

WG#debug 

WG#debug conn_idle_timeout [show | set | 

set_default | -h | -? ], where 

show Displays the current settings 

set Set the connection idle timeout (in 

seconds, 1-86400) 

Effect 

This allows you to set the connection idle timeout 

between the Vclass appliance and the Management 

Station. The maximum time is 86,400 seconds (one 

day). The default is 180 seconds (3 minutes). 

Example 

WG#debug conn_idle_timeout 600 

WG#debug conn_idle_timeout set_default 

ha_instant_sync command 

WG#debug 

WG#debug ha_instant_sync [show | enable | disable | 

set_default | -h | -? ], where 

show Displays the current settings 

enable Enable instant state sync 

disable Disable instant state sync 



set_default Restore the setting to the factory 

default value 

Effect 

Enables or disables instant HA state 

synchronization. This is enabled by default. 

Example 

WG#debug ha_instant_sync enable 

hwdiag command 

WG#debug 

WG(debug)#hwdiag < 1 | 2 > 

Effect 

Provides diagnostic information for your 

hardware. Two diagnostic levels are available. 

Type the command 

“hwdiag 1” to perform level 1 hardware 

diagnostic tests, or “hwdiag 2” to 

perform level 2 tests. 

Level 2 hardware diagnostics require that the 

system be rebooted after the tests complete. 

ifconfig command 

WG#debug 

WG#debug ifconfig 

Effect 

ifconfig is the standard Linux command for 

interface configuration. This command can be used 

to configure the interfaces, as an alternative to 

interface configuration in the configuration menu. 

Displays debugging information for the interfaces 

on the appliance. 

Options 

Type -h to get help for this option. ifconfig is a 

standard Linux command, and should be used by a 

knowledgeable administrator. For the interface 

names, use “eth0” through “eth5,” depending on 



how many interfaces your device has. 

Type ifconfig with no options or arguments to 

show detailed interface information. 

NOTE 

When using the ifconfig command in transparent mode, 

you must use eth1, as in the following example: 

ifconfig eth1 ipaddress netmask mask 

You cannot use ifconfig with any other interface (e.g. eth0, 

eth2, eth3) in transparent mode. 

importscreen command 

WG#debug 

WG(debug)#importscreen 

Import a tar file via ftp to customize Firewall User Login 

Screen. 

Syntax: 

importscreen 

 

Example: 

importscreen 10.10.10.10 ftp any public/screen.tar 

Effect 

This command allows you to import a tar-archived 

set of files to replace the https firewall user 

authentication login screen. 

Prerequisites 

The default configuration includes the following 

files: 

- logon.html 

- cert_logon.html 

- user_auth_fail.html 

- index.html 

- user_auth_success.html 


- images/rs_sublogo.gif 


You can save these files from the login and result 

pages to your local system using your browser’s 

“Save” function. Once the files are saved, you can 

edit the files, adding images, replacing text, and 

changing the page layout. However, you should 

not change any of the form input submission 

information, or your pages will not work. 

You must create a compressed tar file(*.tar) that 

includes all of the files you want to replace for the 

logon and result screens. When you have 

completed editing, tar the file (creating a *.tar file), 

and place this file in an accesible FTP upload 

directory. Then, use the CLI to FTP the file to the 

Vclass appliance. 

NOTE 

These operations require a moderate level of HTML 

knowledge and editing skills. 

Example 

WG#debug 

WG(debug)#importscreen 10.10.0.98 

ftpadmin ftppassword public/screens.tar 

kernel_debug command 

WG#debug 

WG(debug)#kernel_debug < on | off > 

Effect 

This command turns kernel debugging on or off. 

Arguments 

None. 

Example 

WG(debug)#kernel_debug on 



netstat command 

WG#debug 

WG(debug)#netstat 

Effect 

This command displays the network status as seen 

from the security appliance’s point of view. To 

review the arguments for this command, type -?. 

The following are some of the available arguments. 

Arguments 

-a Displays active network connections and their 

status 

-i Shows summaries sorted by appliance interface 

-s Shows statistics 

-r Shows routing table information 

Example 

WG(debug)#netstat -i 

ping command 

WG#debug 

WG(debug)#ping 

Effect 

Use the ping command to send an ICMP 

ECHO_REQUEST to a designated device. 

Arguments 

 

This argument records the IP address of the 

device/appliance to be pinged. 

Example 

WG(debug)#ping 122.13.2.9 

The WatchGuard CLI will send ping packets to the 

designated IP address. Enter ^c (Control-C) to stop 

the ping. The CLI will then display the results and 

return to the WG(debug)# prompt. 


pppoe_config command 


pppoe_config [show | set num | set_default] 

show Show current settings. 

set num Set PPPoE parameters. 

-i is for echo interval (1-1200 Sec). 

-f is for echo failure (1-60). 

-r is for re-auth period (0-7200 Min). 

-t is for re-auth interval (0-120 Min). 

num is an integer. 

set_default Restore factory default value. 

Effect 

This command allows you to set PPPoE echo (keepalive) 

and re-authorization times and limits. 

Arguments 

-i allows you to set the echo (keep-alive) interval, 

from 1—1200 seconds. 

-f allows you to set the threshold for echo (keepalive) 

failure, from 1—60 seconds. 

-r allows you to set the re-authorization period, 

from 0—7200 minutes. 

-t alows you to set the re-autorization interval, 

from 0—120minutes. 

set_default allows you to set the default values 

for PPPoE echo and re-authorization. 

Example 

WG(debug)#pppoe_config set -1 300 -f 5\ 

-r 1800 -t 60 

radius_ping command 

WG#debug 

WG(debug)#radius_ping \ 

[-pap |-sid ] \ 

[-p ] [-r ] \ 

[-s ] [-t ] \ 

[-u ] 

Effect 

Use this command to test the connections between 

this WatchGuard appliance and a RADIUS server. 



Pay special attention to the arguments for this 

command. 

Arguments 

[-pap ] 

This optional argument specifies PAP as the 

authentication used by this RADIUS server, along 

with the PAP password. 

[-sid ] 

This optional argument specifies SecurID as the 

authentication used by this RADIUS server, along 

with the SecurID passcode. 

[-p ] 

This argument allows you to record a specific port 

number for the RADIUS server. The default port 

number is “1812” and you can ignore this 

argument if the port number was not changed. 

[-r ] 

This argument specifies the maximum number of 

tries (between 1 and 10) made by this command. 

The default is “3”. 

[-s ] 

This argument records the “secret” login password 

required by the RADIUS server. The default is 

“test123”. 

[-t ] 

This argument establishes the timeout value for 

each test message. 

The default value is “2”. 

[-u ] 

This argument records a RADIUS user name for 



use in this ping attempt. The default entry is 

“test123”. 

 

This argument notes the IP address of the interface 

where the RADIUS request will be sent. 

 

This argument notes the IP address of the RADIUS 

server. 

Example 

WG(debug)# radius_ping -u jsmith -pap 

johnsm \ 

10.10.13.101 10.10.0.5 

[no response from RADIUS server] 

rcinfo command 

WG#debug 

WG(debug)#rcinfo 

Effect 

Shows debug information about the RapidCore 

chip in your appliance. This is used for 

troubleshooting purposes, with WatchGuard 

technical support. 

Example 

WG#debug 

WG(debug)#rcinfo 

reboot command 

WG#debug 

WG(debug)#reboot 

Effect 

Reboots the appliance. 

Example 

WG(debug)#reboot 



rs_kdiag command 

WG#debug 

WG(debug)rs_kdiag 

Effect 

This command displays internal diagnostics 

information. 

Arguments 

None 


set_dos_if command 


WG#debug 

WG(debug)set_dos_if 

[show | set | set_default | -h | -? ], where 

show Show the current settings. 

set xyzv Set DOS protection on interfaces. 

x,y,z,v must be 0 or 1. x is for interface 0, 

y for interface 1, z for interface 2, 

and v for interface 3. 

set_default Restore the setting to the factory default value 

Effect 

This sets denial of service (DOS) protection on 

individual interfaces. The default settings are 

0000000f. 

Example 

WG#debug 

WG(debug)set_dos_if set 0011 

slink command 

WG#debug 

WG(debug)# slink [ [-s] ] [show] 

-s : save configuration only 

Port: eth0, eth1, eth2, eth3 

Mode: 

auto = Auto negotiate 

1000A = 1000BaseFX, AutoNegotiation enabled 

1000H = 1000BaseFX, AutoNegotiation disabled 

100F = 100BaseT, Full-duplex mode 

100H = 100BaseT, Half-duplex mode 



show: current setting 

Effect 

This command sets the physical speed of a specific 

accelerated data interface. 

Arguments 

etho, eth1, eth2, eth3 

Indicates the interface to be changed. 

mode 

auto = Auto negotiate 



1000A = 1000BaseFX, AutoNegotiation enabled 

1000H = 1000BaseFX, AutoNegotiation disabled 





show 

Displays the current setting 

Example 

WG#debug 

WG(debug)# slink eth1 10H 

This sets interface 1 (public) to 10BaseT, Halfduplex 

mode. 

tcpdump command 

WG#debug 

WG(debug)#tcpdump 

Effect 

Dumps all traffic on a network. Tcpdump will 

captures all packets detected by the network 

interfaces of the appliance where “tcpdump” is 

executed. This command may be used to track 

specific packets. 

Arguments 

None 

Example 

WG(debug)#tcpdump 

traceroute command 

WG#debug 

WG(debug)#traceroute 

Effect 

Displays the complete route information to the 

target device. This command utilizes the IP 

protocol “time to live” field and solicits an ICMP 



TIME_EXCEEDED response from each gateway 

along the path to the target device. You can use this 

command to troubleshoot network routing and 

connectivity. 

Arguments 

Be sure to type the IP address of the target device, 

as shown in the example below. 

Example 

WG(debug)#traceroute 

207.188.12.3 

verbose_trace command 

WG#debug 

WG(debug)# verbose_trace [ on | off ] 

Effect 

This command enables/disables verbose tracing in 

the traffic log. If such is enabled, every firewalldropped 

packet will be shown in the traffic log. All 

DNS packets will also be shown in the traffic log. 

NOTE 

If this feature is enabled, there will be an impact to the 

overall system performance due to heavy logging activity. 

vinstall command 

WG#debug 

WG(debug)# vinstall 

 

##This feature allows downgrade from 5.0 to 3.2 or 4.0 

##e.g. vinstall 10.10.10.10 my_username my_password 

"path/encrypted_fbv.tgz" 

## For V10, use non-encrypted file. For others, use 

encrypted file. 

Effect 

This allows you to downgrade to an earlier 

software version–from 5.0 to 4.0 or from 5.0 to 3.2. 



NOTE 

This feature is not supported in software versions earlier than 

5.0. 

Example 

WG#debug 

WG(debug)# vinstall 10.10.0.98 ftpadmin 

ftppass /upload/downgrade/encrypted.tgz 


CHAPTER 5 Other Commands 

No command 

Rename command 

This chapter describes commands that do not belong 

to one of the three main command modes (Administration, 

Configuration, and Debug). 

The no command is used before another command or 

argument to turn off or disable the specified feature. 

The rename command is used to rename objects. 


CHAPTER 5: Other Commands 

Show command 

As a way of viewing lists and details of a WatchGuard 

appliance’s configuration, the Show command (and its 

arguments) provides an adaptable means of cataloging 

such things as address groups, IPSec actions or RAS user 

profiles. Once you determine what’s listed, you can then 

adapt the Show command to view the “contents” of a specifically 

named item, including the settings or configuration 

entries that comprise that item. 

Show command general usage 

WG#show 

Effect 

If you type “show” at the top-level CLI prompt, the 

WatchGuard CLI will display a complete list of 

“show” arguments (listed above in “Contents”), 

that enable you to list almost every kind of object in 

the WatchGuard database, from address groups to 

VLAN objects. 

Arguments 

None. 

The current range of Show commands includes the following: 


address See “Show address command” on page 145. 

alarm See “Show alarm command” on page 146. 

all_routes See “Show all_routes command” on page 147. 

certificate See “Show certificate command” on page 147. 

cpm See “Show CPM command” on page 148. 

denial_of_service See “Show denial_of_service command” on 

page 148. 

diagnostics See “Show diagnostics command” on page 148. 

dns See “Show DNS command” on page 148. 


Show address command 

Display current address groups 

WG#show address 

Show command 


ike See “Show IKE command” on page 149. 

interface See “Show interface command” on page 150. 

ipsec See “Show IPSec command” on page 150. 

ldap See “Show LDAP command” on page 151. 

license See “Show license command” on page 151. 

log See “Show log command” on page 152. 

mode See “Show log command” on page 152. 

nat See “Show NAT command” on page 153. 

ntp See “Show NTP command” on page 153. 

policy See “Show policy command” on page 154. 

qos See “Show QoS command” on page 154. 

ras See “Show RAS command” on page 155. 

route See “Show route command” on page 156. 

sa See “Show SA command” on page 156. 

service See “Show service command” on page 157. 

statistics See “Show statistics command” on page 158. 

sysinfo See “Show sysinfo command” on page 158. 

sysupgrade See “Show sysupgrade command” on page 159. 

trace See “Show trace command” on page 159. 

tunnel_switch See “Show tunnel_switch command” on 

page 159. 

version See “Show version command” on page 160. 

Effect 

Displays the current catalog of address groups 

stored in this WatchGuard Firebox Vclass security 

appliance 



Arguments 

None. 

Display contents of address group 

WG#show address 

Effect 

Displays the current contents of a specifically 

named address group. 

Arguments 

 

This argument notes the address group name. 

Example 

WG#show address exec_staff 

Show alarm command 

WG#show alarm [definition|log 

[more|follow]] 

Effect 

Displays a summary of currnt outstanding alarms. 

Arguments 

definition 

This displays a list of alarm definitions, and 

whether they are enabled. 

log more 

This displays the log of all alarms that have been 

triggered in the past (since the log was last cleared), 

20 lines at a time. 

log follow 

This displays the last 5 line of the alarm log, and 

updates if more alarms get generated. 

Example 

WG#show alarm log more 


Show all_routes command 

WG#show all_routes 

Show command 

Effect 

Displays a summary of the routes–static and 

dynamic–recorded in this WatchGuard appliance. 

Arguments 

None. 

Example 

WG#show all_routes 

Show certificate command 

WG#show certificate 

Effect 

Displays the complete collection of certificates, 

including pending requests root certificates and 

system certificates. 

Examples 


Display certificate settings 


[ca|sys|pending|"cert_id"] 

Effect 

Displays the settings of a certificate according to 

the specific identifying characteristic. 

Arguments 

 

This argument specifies the type of certificates you 

want to review, whether root, system or pending. 

 

This argument notes an actual ID number from a 

certificate–whether root, system or pending. 

Examples 



WG#show certificate pending 

WG#show certificate 19478 

Show CPM command 

WG#show cpm 

Effect 

Shows whether CPM is enabled or disabled, and 

general CPM information. 

Examples 

WG#show cpm 

Arguments 

None. 

Show denial_of_service command 

WG#show denial_of_service 

Effect 

Displays the DOS and DDOS configurations 

currently active in this appliance. 

Arguments 

None. 

Show diagnostics command 

WG#show diagnostics 

Effect 

Shows some diagnostic information for the 

appliance. 

Examples 

WG#show diagnostics 

Arguments 

None. 

Show DNS command 

WG#show dns 


Effect 

Displays any DNS configurations. 

Arguments 

None 

Show IKE command 

Show command 

WG#show ike 

Effect 

Displays the current catalog of IKE policies or 

actions, depending upon your choice of argument. 

Arguments 

 

This argument allows you to specify whether the 

actions or policies are listed. 

Examples 

WG#show ike action 

Display IKE policy parameters 

WG#show ike 

 

Effect 

Displays the parameters of a specifically named 

IKE policy or action. 

Arguments 

action 

This argument will display the contents of the 

named action. 

policy 

This argument will display the contents of the 

named policy. 

Examples 

WG#show ike action basic 

WG#show ike policy secure_VPN 



Show interface command 

WG#show interface 

Effect 

Displays a detailed summary of all data interfaces 

in this WatchGuard appliance. 

Arguments 

None 

Example 

WG#show interface 

Show IPSec command 

WG#show ipsec 

Effect 

Displays the current catalog of IPSec proposals or 

actions--depending upon the argument. 

Arguments 

 

This argument specifies the type of IPSec 

component, action or proposal, that you want to 

review. 

Examples 

WG#show ipsec proposal 

Display an IPSec proposal or action 

WG#show ipsec 

 

Effect 

Displays the contents of a specifically named IPSec 

proposal or action. Type the action or proposal 

name after the "ipsec" command to view the 

specific settings. 

Arguments 

 

This argument specifies the type of IPSec 


Show command 

component, action or proposal, that you want to 

review. 

 

After entering the “action” or “proposal” 

argument, enter this value, which indicates the 

actual name of a specific proposal or action that 

you want to review in detail. 

Examples 

WG#show ipsec proposal md5_sha 

WG#show ipsec action most_secure 

Show LDAP command 

WG#show ldap 

Effect 

Displays any current LDAP server connection 

settings. 

Arguments 

None 

Show license command 

WG#show license [license_id] 

Effect 

Displays the current license file information. You 

can copy the license ID shown with this command, 

and paste it after the show license command to see 

more details about a particular license. 

Arguments 

None 

Example (show license without a license number) 

WG#show license 

Ord License Name License ID Expiration 

Date 

1 DATE_11-6-2002_10:5 64DFC18A261A4771 04-02-2003 



Example (show license with a license number) 

WG#show license 64DFC18A261A4771 

License Name: DATE_11-6-2002_10:51 

License ID: 64DFC18A261A4771 

Feature(s): 

UPGRADE 

3DES 

Expiration Date: 04-02-2003 

Show log command 

WG#show log [more] 

Effect 

Displays the last 25 entries in a designated log file. 

If you enter “config” as the argument, the CLI will 

display the configuration settings for all logs. 

Arguments 

 

This argument will display the current 

configurations for server, traffic and event logs. 

 

Enter one of these six log types in this argument. If 

you do not type a log type, the CLI will simply list 

the types of log files you can view. 

[more] 

This argument displays the complete contents of a 

specified log, one page at a time. 

Example 

WG#show log traffic 

Show mode command 

WG#show mode 


Show command 

Effect 

Displays whether the system is running in Router 

or Transparent Mode. 

Arguments 

None 

Example 

WG#show mode 

Show NAT command 

WG#show nat 

Effect 

Lists any current NAT actions stored in this 

appliance database. 

Arguments 

None 

Display NAT action configuration 

WG#show nat 

Effect 

Displays the configuration of a specifically named 

NAT action. 

Arguments 

 

This argument represents the exact name of the 

NAT action you want to review. 

Example 

WG#show nat static_NAT1 

Show NTP command 

WG#show ntp 

Effect 

Displays the Network Time Protocol configuration. 



Arguments 

None. 

Example 

WG#show ntp 

Show policy command 

WG#show policy 

Effect 

Displays the parameters/settings for a specifically 

named security policy. 

Arguments 

 

This argument notes the exact name of the security 

policy you want to review. 

Example 

WG#show policy SJO-NYC_VPN 

List active security policies 

WG#show policy 

Effect 

Lists all active security policies stored in this 

WatchGuard appliance. 

Arguments 

None 

Example 

WG#show policy 

Show QoS command 

WG#show qos 

Effect 

Displays (1) the current system QoS configuration, 

or (2) a list of currently available QoS actions– 

depending upon your argument entry. 


Show command 

Arguments 

 

This argument represents your preference–to 

review the current system QoS setting or the list of 

available QoS actions. 

Example 

WG#show qos system 

Show QoS action configuration 

WG#show qos action 

Effect 

Displays the configuration of a specified QoS 

action. 

Arguments 

 

This argument indicates, by exact name, the QoS 

action you want to review. 

Example 

WG#show qos action slow_to_55 

Show RAS command 

WG#show ras 

 

Effect 

Displays a complete listing of the specified RAS 

component–group profiles, user profiles or 

database configuration. 

Arguments 

 

This argument represents your preference–to 

review a list of group profiles, a list of user profiles 

or the database settings. 

Example 

WG#show ras database 



Display specific RAS contents 

WG#show ras 

 

Effect 

Displays the contents of the specifically named 

RAS component–a user profile or group profile. 

Arguments 

 

This argument notes either group profile or user 

profile. 

 

This argument records the name of the designated 

object that you want to review. 

Example 

WG#show ras user_profile sales12 

Show route command 

WG#show route 

Effect 

Displays a list of active routes. 

Arguments 

None 

Example 

WG#show route 

Show SA command 

WG#show sa [id] 

Effect 

Lists current phase one or phase two SA 

information, in some detail. If you add the “ID” of 

a specific phase-one SA or phase-two tunnel, the 

CLI will display details of the requested item. 


Show command 

Arguments 

 

This argument specifies your choice of a list of 

phase-one SA’s or a list of phase-two tunnels. 

Either list provides a complete catalog of the 

requested item, in a table that includes 

considerable details about each item. 

[id] 

This argument (when used with p1) will display a 

summary of the identified SA. When used with p2, 

this argument will display a summary of the 

requested tunnel activities. 

Example 

WG#show sa p2 209 

Show service command 

List all service groups 

WG#show service 

Effect 

Displays a complete list of all service groups. 

Arguments 

None 

Example 

WG#show service 

Display service group settings 

WG#show service 

Effect 

Displays the settings for a named service group, 

including port numbers and any associated 

protocols. 



Arguments 

 

This argument represents the exact name of the 

service group you want to review in detail. 

Example 

WG#show service e-mail 

Show SNMP command 

WG#show snmp 

Effect 

Displays the SNMP settings for the appliance. 

Arguments 

None. 

Example 

WG#show snmp 

Show statistics command 

WG#show statistics 

show statistics ras [user_ID] 

show statistics p1sa [ID] 

show statistics p2sa [ID] 

Effect 

Displays statistics for RAS or phase 1 or phase 2 

SA. 

Arguments 

None. 

Example 

WG#show statistics ras ras_user 

Show sysinfo command 

WG#show sysinfo 


Show command 

Effect 

Displays the basic "general" system configurations, 

including appliance name, location, and contact 

person's name. 

Arguments 

None 

Example 

WG#show sysinfo 

Show sysupgrade command 

WG#show sysupgrade 

Effect 

Displays a chronological record of recent system 

software upgrades (including version number and 

date) installed in this WatchGuard appliance. 

Arguments 

None 

Example 

WG#show sysupgrade 

Show trace command 

Show tunnel_switch command 

WG#show tunnel_switch 

Effect 

Displays the status of tunnel switching hardware 

features in this appliance–OFF or ON. 

Arguments 

None 

Example 

WG#show tunnel_switch 



Show version command 

WG#show version 

Effect 

Displays the version number of WatchGuard 

operating software. 

Arguments 

None 

Example 

WG#show version 


Index 

A 

abbreviations 8 

abort system configuration 

changes 43 

accelerated data interface, set 

physical speed of 139 

adding settings and policies 10 

address group modification 43 

address group, display specific 146 

address groups, display all 145 

administration mode commands 15, 

27 

appliance maintenance commands 22 

apply changes 22 

apply changes to interface 

configuration 95 

apply recent configuration changes 45 

argument entry syntax 9 

argument options by command, list 

of 17 

ARP cache, display 129 

ARP cache, manipulate 129 

available commands 17 

available tasks 2 

B 

\ character, use of 9 

C 

WatchGuard Command Line Interface Guide 

case sensitivity of object strings 9 

certificate configuration mode, entry 

into 45 

certificate settings, display 

specific 147 

certificate, import VPN 69 

certificate, request VPN 67 

certificate, show properties 70 

certificates, display all 147 

change system mode 94 

CLI by command 

administration mode 

downgrade 29 

enable 108 

export 30 

flush 31 

ha_sync 31 

passwd 36 

reboot 37 

restore_default 38 

shutdown 38 

all mode commands 

exit 14 

history 14 

top 15 

configuration, level 1 

abort 43 

address 43 

certificate 45 

commit 45 

delete 45 

denial_of_service 46 

high_availability 47 

high_availability (disable) 48 

history 66 

ike 48 

interface 49 

ipsec 49 

license 49 

nat 54 

nat (dynamic action) 56 

policy 57 

qos 60 

ras 61 

rename 61 

schedule 62 

service 63

system 64 

tenant 65 

tunnel_switch 65 


action (ike) 78 

action (IPSec) 95 

action (QoS) 100 

active_feature (license) 117 

database (RAS) 105 

delete (license) 118 

dns (system) 108 

enable (high_availability) 74 

exit (high_availability) 76 

exit (interface) 95 

fwuser (system - 

idle_timeout) 109 

group_profile (RAS) 102 

ha2 (interface) 93 

import 69 

import (license) 117 

interface 82 

interface (system) 110 

interface 0 (interface) 83 



ldap (system) 110 

log (system) 111 

mode 94 

policy (ike) 80 

private (interface) 85 

proposal (IPSec) 99 

request 67 

route (system) 113 

show 70 

show (high_availability) 72 

show (interface) 82 

show (license) 118 

snmp (system) 114 

ssl 71 

sysinfo (system) 115 

system (QoS enable/ 

disable) 101 

user_domain(tenant) 120 

user_profile (RAS) 103 

vlan(tenant) 119 

vlan_fowarding (system) 116 


dynamic (system\route) 123 

event (system\log) 124 

remote_log_server 

(system\log) 125 

static (system\route) 122 

traffic (system\log) 124 

display arguments 

show 145 

show address 145 

show address 

14 

6 

show all_routes 147 

show cert 147 

show cert (by ID) 147 

show denial_of_service 148 

show dns 148 

show ike 149 

show ike (by name) 149 

show interface 150 

show ipsec 150 

show ldap 151 

show log 152 

show mode 152 

show nat 153 

show nat (by name) 153 

show policy 154 

show policy (by name) 154 

show qos 154 

show qos (by name) 155 

show ras 155 

show ras (by name) 156 

show route 156 

show sa 156 

show service 157 

show service (by name) 157 

show sysinfo 158 

show sysupgrade 159 

show tunnel_switch 159 

show version 160 

troubleshooting 

arp 129 

clear_logs 129 

netstat 134 

ping 134 

radius_ping 135 

rs_kdiag 138 

slink 139 

tcpdump 140 

traceroute 140 

verbose_trace 141 

CLI capabilites 2 

CLI commands

administration mode 

disable 108 

CLI editing 

appending to recent command 11 

argument syntax 9 

use of \ character 9 

case sensitivity 9 

case sensitivity in object strings 9 

command abbreviation 8 

command prompt 8 

delete 10 

exchanging command arguments 

in recent command 12 

grouping parameters 10 

help command 17 

keywords 15 

line continuation 9 

CLI navigation 13 

command history 11 

command prompt, navigation with 8 

Common Criteria operation mode 35 

configuration, initial 20 

conn_idle_timeout 130 

connection to a workstation 

direct 5 

connection to workstation, 

through network 5 

conventions 3–5, 25–27 

currently available commands 17 

D 

data interfaces, display address 

settings 82 

data interfaces, show detailed 

summary of 150 

DDOS 

See denial of service 

DDOS configurations, show 148 

debug 

information not exported to 

xml 127 

debugging commands 127–141 

delete license 118 

delete specific configuration 

changes 45 

deleting items in database 22 

deleting text 10 

denial of service parameter 

configuration 46 


DHCP server configuration options 85 

disable 108 

disable keyword 15 

disable port shaping 101 

disable tunnel switching 65 

display commands 144 

display interface addresses 

See data interfaces 

DMZ See interface 2 

DNS configurations, show 148 

domain name, system level entry 108 

DOS See denial of service 

DOS configurations, show 148 

downgrade 29 

dump network traffic 140 

dynamic route, configure 123 

E 

enable 108 

enable keyword 15 

enable port shaping 101 

enable tunnel switching 65 

erase system configuration 

changes 43 

event log configuration 124 

exchanging command arguments in 

recent command 12 

!!for 

appending to most recent 

command 11 

!! recall command 11 

!number to recall recent command by 

number 11 

existing appliance 

log in 7 

export 30 

export cr/xml/log/ip 30 

extra features active, licensed 117 

F 

factory default appliance 

logging in 6 

factory default restoration 38 

FIPS operation mode 35

firewall authentication screens, 

replacing 132 

H 

HA 2 interface configuration 93 

HA configuration 47 

HA configuration, display 72 

HA enable 74 

HA, apply configuration changes 76 

HA, disabling 48 

ha_instant_sync 130 

ha_sync 31 

help 17 

help online 17 

high availability 

See HA 

high availability configuration, level 

2 72–76 

history 14, 66 

history buffer 11 

history buffer, size of 11 

history command 11 

hotsync process, initiate 31 

I 

ICMP ECHO_REQUEST, send 134 

idle_timeout, changing firewall 

user 109 

IKE action, record 78 

IKE configuration 48 

IKE configuration, level 2 

commands 78–82 

IKE policies, display all 149 

IKE policy or action, show parameters 

of 149 

IKE policy, record 80 

import 

XML profile 33 

import license 117 

import VPN certificate 69 

importscreen 132 

initial configuration commands 20 

interface 0 configuration 83 



interface address settings, display 82 

interface configuration entry 110 

interface configuration, enter 82 

interface configuration, level 2 


interfaces, show detailed summary 

of 150 

internal diagnostics, display 138 

IP addresses, system level entry 108 

IPSec action, recording 95 

IPSec configuration 49 

IPSec configuration, level 2 


IPSec proposal or action, show details 

of specific 150 

IPSec proposal, create or modify 99 

IPSec proposals or actions, show 

catalog of 150 

K 

keywords 

disable 15 

enable 15 

no 15 

L 

LDAP server connection settings, 

show 151 

LDAP server, activate connection 110 

LDAP server, deactivate 

connection 110 

Level 1 configuration mode 41 

Level 2 configuration mode 66–122 

Level 3 configuration mode 122–126 

license commands, level 2 


license configuration 49 

license, delete 118 

license, import new 117 

license, summarize a 118 

licensed features, active 117 

licenses available, list 118 

limitations 3 

line continuation 9 

line continuation character 9 

log configuration 111

log configuration, level 3 


log entries, clear 129 

log file, show last 25 entries of 

specific 152 

log into existing appliance 7 

log into factory default appliance 6 

log out 18 

M 

maintenance commands 22 

MSS 59, 112 

mss_adjustment 112 

mss_adjustment_per_policy 59 

N 

NAT action, record 54 

NAT action, show configuration of 

specific 153 

NAT actions, list current 153 

NAT, dynamic IP 56 

network address translation 

See NAT 

network status, view 134 

no keyword 15 

O 

object strings, case sensitivity of 9 

online help 24 

operation modes 35 

operation_mode command 35 

P 

passwd 36 

password, reset super user 36 

ping a device 134 

+ character, use of 10 

pppoe_config 135 

Private interface 

See interface 0 

profile 


import XML 33 

Public 

See interface 1 

Q 

QoS action, record new 100 

QoS actions, show current 

available 154 

QoS configuration entry 60 

QoS configuration, level 2 


QoS configuration, show all current 

system 154 

QoS configuration, show specific 155 

Quality of Service 

See QoS 

? command 17 

R 

RADIUS server, test connections to 

security appliance 135 

RAS account, create or modify 103 

RAS authentification database, where 

stored 105 

RAS configuration mode 61 

RAS configuration, level 2 


RAS group profile, modify or 

create 102 

RAS, show complete listing of 155 

RAS, show specific RAS 

component 156 

reboot 37 

recall most recent command 11 

recalling a recent command, not most 

recent 11 

recent commands list 14, 66 

reload old software 29 

remote log server connection, 

configure 125 

rename an existing object 61 

replace firewall authentication 

screens 132 

replacing settings and policies 10 

request VPN certificate 67 

reset connections 31

eset Vclass appliance 37 

return to next highest level 14 

return to top command level 15 

route configuration entry 113 

route configuration, level 3 

commands 122 

route information, display of 140 

routes, list all active 156 

routes, summarize all dynamic and 

static 147 

S 

SA information, show curent phase 1 

or 2 156 

schedule a policy 62 

security policies, show active 154 

security policy commands 21 

security policy, create 57 

security policy, show parameters of 

specific 154 

service entry (individual or group) 

new 63 

service group, show specific 157 

service groups, show all 157 

set_dos_if 139 

show arguments, list 145 

show certificate properties 70 

show stored arguments 16 

show stored command entries 16 

showcommands 144 

shut down WatchGuard appliance 38 

SNMP workstations, record 

connection data for 114 

software version number, display 160 

SSL certificate request 71 

static route configuration 122 

system configuration mode 64 

system configuration, level 2 


system configuration, show 

general 158 

system information, apply to security 

appliance 115 

system interface configuration 49 

system interface configuration, 

enter 82 

system mode, display 152 

system software upgrades, show 

recent 159 

T 

tasks available 2 

tasks not available 3 

TCP Maximum Segment Size 

(MSS) 59, 112 

tenant configuration mode entry 65 

tenant configuration, level 2 


tenant entry, record 119 

text deletion 10 

top command 14 

traffic log file, activate 124 

traffic log file, deactivate 124 

troubleshooting commands 127–141 

tunnel switching, show hardware 

status 159 

U 

unavailable tasks 3 

V 

verbose trace, disable 141 

verbose trace, enable 141 

view currently available 

commands 17 

vinstall 141 

VLAN forwarding disable 116 

VLAN forwarding, enable 116 

VLAN specific tenant entry, 

record 120 

VLAN tenant entry, record new 119 

W 

Web certificate 

See SSL certificate

X 

xml export 

debugging information not 

exported 127 

XML profile 

import 33 

WatchGuard Command Line Interface Guide

CLI Guide - WatchGuard Technologies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?